Date: Tue, 24 Jul 2001 19:38:10 -0500 From: Jon Loeliger <jdl@jdl.com> To: Kris Kennaway <kris@obsecurity.org> Cc: Peter Pentchev <roam@orbitel.bg>, security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <200107250038.TAA07176@chrome.jdl.com> In-Reply-To: Your message of "Tue, 24 Jul 2001 15:47:11 PDT." <20010724154711.B36368@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
So, like Kris Kennaway was saying to me just the other day: > > > ypchfn changed its inode number, and its link count. This means that > > somebody performed an unlink() (delete) on ypchfn, and then created > > a new ypchfn with the same size, timestamp, permissions and stuff, > > but still a new file - and that's where the hardlink count + inum > > tracking of /etc/security kicked in and alerted you. > > This is a signature I've seen before; chances are someone has gained > root on your machine (probably through telnetd) Excellent. So given the grim situation, this is what I want to hear. The system was compromised. My suspicion is that telnetd was the culprit, given it came on the heals of the telnet Security announcement. No, I hadn't fixed it yet. Man, there just isn't enough time in the day to do your real job _and_ plug the security holes! :-( So the machine is currently off the air. I'll rebuild it. And would that be 4.4 or 4.3? Rats. I'm also going to set up a more serious DMZ firewall. Can I ask you guys questions and hold my hand through setting it all up? I am not familiar with IPFW, but I know what it does, how it works, networking and IP details. So here's what I think I want to set up now: - External ISP ISDN wire comes out of the wall, - Hits the Ascend Pipeline-50 and comes out ethernet, - Goes into a DMZ box on one ether card, - Same DMZ box has IPFW rules allowing traffic (or not) to be forwarded to the second ether card in that box, - The second ether card plugs into the 24-port switch, - Everything else on the "inside" plugs into that same switch. For starters, do I have the basic scheme right? ( So I'm waiting on the high speed link to come up again, and eventually the Pipe-50 gets replaced with a T-1 LMC card. (Does FreeBSD have an LMC T-1 driver? Or will I have to use this old POS Linux box for that?) ) You know, this is a pain! But I appreciate your suggestions! :-) jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107250038.TAA07176>