From owner-freebsd-security Thu Aug 27 00:44:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA27592 for freebsd-security-outgoing; Thu, 27 Aug 1998 00:44:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from banshee.cs.uow.edu.au (banshee.cs.uow.edu.au [130.130.188.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA27585 for ; Thu, 27 Aug 1998 00:44:13 -0700 (PDT) (envelope-from ncb05@banshee.cs.uow.edu.au) Received: (from ncb05@localhost) by banshee.cs.uow.edu.au (8.9.1/8.9.1) id RAA17401; Thu, 27 Aug 1998 17:43:05 +1000 (EST) Date: Thu, 27 Aug 1998 17:43:04 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@banshee.cs.uow.edu.au To: Wilson MacGyver cc: security@FreeBSD.ORG Subject: Re: post breakin log In-Reply-To: <199808270538.BAA01341@armitage.cylatech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 27 Aug 1998, Wilson MacGyver wrote: > Hi guys, > > My FreeBSD box get hacked about two days ago... yes yes, via the popper. > I reinstalled the system, but saved the log. I was looking through to > see what he has done. There is some stuff you may find interesting... > > the log from history follows. > > >From the log, it seem he is very knowledgeable about FreeBSD. > though I must admit, I don't get why he makes the /dev/sync. > also, I don't know what the deal with the bnc* stuff If you have a log, he can't be that knowledgeable. A few simple ways of avoiding history logs include: evil@crescent:~$ echo $SHELL /usr/local/bin/bash evil@crescent:~$ ls .bash_history -rw-r--r-- 1 evil evil 904 Aug 27 04:06 .bash_history evil@crescent:~$ rm .bash_history evil@crescent:~$ ln -s /dev/null .bash_history evil@crescent:~$ ls .bash_history lrwxrwxrwx 1 evil evil 9 Aug 27 17:42 .bash_history@ -> /dev/null evil@crescent:~$ All logs will be sent to /dev/null. Another way (for bash at least), would be to export HISTFILESIZE=0. And don't forget what we can do with chflags on bsd: evil@crescent:~$ rm .bash_history evil@crescent:~$ touch .bash_history evil@crescent:~$ chflags uchg .bash_history evil@crescent:~$ ls -lo .bash_history -rw-r--r-- 1 evil evil uchg 0 Aug 27 17:44 .bash_history evil@crescent:~$ echo blah > .bash_history su: .bash_history: Operation not permitted evil@crescent:~$ Now, how can you prevent nefarious users doing the above? Using bash as an example, setup a .profile and .bashrc that and chflags them sappnd. Do the same to .bash_history. I'm sure you can think of how to do similar things with different shells. > He installed a backdoor on my system, and then attack a bunch > of systems while he was on. He even has a freebsd root kit. :) ^^^^^^^^^^^^^^^^ Trademark of a script kiddy. People you should worry about are those with custom stealth lkm's and other nastyness. > any suggestion to prevent futher break in is apprecaited. > other than "not to run popper" anymore. (grin) If you must allow shell access, limit it accordingly. You may want to look at a small patch that prevents users executing binaries in untrusted directories - http://rabble.uow.edu.au/~nick/security/tpe.stable.diff. > has anyone seen some of these programs he ran/install/compile > before? > > Thanks, > Mac > [ history removed ] Hope the cleanup isn't to bad. :) Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message