From owner-freebsd-security Sun Jun 23 18:37:28 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA10880 for security-outgoing; Sun, 23 Jun 1996 18:37:28 -0700 (PDT) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA10875; Sun, 23 Jun 1996 18:37:26 -0700 (PDT) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.7.5/8.6.9) with ESMTP id SAA08357; Sun, 23 Jun 1996 18:37:01 -0700 (PDT) To: jaeger cc: hackers@freebsd.org, security@freebsd.org, ache@freebsd.org Subject: Re: I need help on this one - please help me track this guy down! In-reply-to: Your message of "Sun, 23 Jun 1996 21:08:46 EDT." Date: Sun, 23 Jun 1996 18:37:01 -0700 Message-ID: <8355.835580221@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > > jkh p2 a235.pu.ru Sun04PM - -bash (bash) > > > Sure gets the heart pounding doesn't it? It doesn't give one warm fuzzy feelings, no! :-) > Contact the Russians on a secure channel (woo, sounds like a spy > novel). Sweep the machine for suid shells and changed binaries. You might Well, that's why I cc'd Andrey - he's far more "plugged in" to that whole community than I am. A break-in to wcarchive effects us all since he could have easily wiped out or compromised our FreeBSD distributions there (they're writable by me, naturally). I'm running checks now. I'm sorry to throw fear, uncertainty and doubt into everyone by noting this possibility, but it'd be remiss of me if I didn't. I'll do my best to verify the checksums (and checksum files) we have, rebuilding anything which looks suspect. David will also do a more complete security audit of this machine later on tonite. > want to suspend some remote logins until you have this worked out. I'd like to, but there are too many people running here now and I don't want to bring all work to a grinding halt over this. I'll see what I can do. > The process accounting logs, if you run that, may be illuminating. Unfortunately we don't since wcarchive has so many processes running on it that we'd need an entire 4GB disk just for the logs. :-( > Check your history file (.bash_history in this case) and anything else he > may have left around (I'm somewhat unclear on whether your home directory > was actually removed). It was and he was smart enough to wipe both the .bash_history file and the shell history (I checked before jumping on him). > Even if you find no altered binaries or other evidence the intruder > had gained root access, I'd still fire up lsof and look for sniffers or > backdoor processes. Use tcp wrappers to deny access from *.ru or all but > selected hosts. I'll do what I can - running monitoring on this machine is problematic due to the load. There are 1250 ftp users logged in right now (he WOULD pick the day after a new version of Quake was released) and the list of open files numbers literally in the thousands. :-( > I'd say your chances of tracking this guy down are pretty slim > unless the Russian hosts weren't root compromised or they were running > enhanced logging or network monitors. I'm hoping that someone at pu.ru will help us out here. I don't think that they want the reputation this is going to garner for them. > Could this intrusion possibly have been a result of using cleartext > remote login sessions? I don't think so - I have a pretty secure path to wcarchive (the T1 at WC goes straight into the same service provider's backbone that wcarchive is on). Both David and I are somewhat worried by this compromise. Jordan