Date: Thu, 27 Aug 1998 17:43:04 +1000 (EST) From: Nicholas Charles Brawn <ncb05@uow.edu.au> To: Wilson MacGyver <macgyver@cylatech.com> Cc: security@FreeBSD.ORG Subject: Re: post breakin log Message-ID: <Pine.SOL.4.02A.9808271729290.11785-100000@banshee.cs.uow.edu.au> In-Reply-To: <199808270538.BAA01341@armitage.cylatech.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 27 Aug 1998, Wilson MacGyver wrote: > Hi guys, > > My FreeBSD box get hacked about two days ago... yes yes, via the popper. > I reinstalled the system, but saved the log. I was looking through to > see what he has done. There is some stuff you may find interesting... > > the log from history follows. > > >From the log, it seem he is very knowledgeable about FreeBSD. > though I must admit, I don't get why he makes the /dev/sync. > also, I don't know what the deal with the bnc* stuff If you have a log, he can't be that knowledgeable. A few simple ways of avoiding history logs include: evil@crescent:~$ echo $SHELL /usr/local/bin/bash evil@crescent:~$ ls .bash_history -rw-r--r-- 1 evil evil 904 Aug 27 04:06 .bash_history evil@crescent:~$ rm .bash_history evil@crescent:~$ ln -s /dev/null .bash_history evil@crescent:~$ ls .bash_history lrwxrwxrwx 1 evil evil 9 Aug 27 17:42 .bash_history@ -> /dev/null evil@crescent:~$ All logs will be sent to /dev/null. Another way (for bash at least), would be to export HISTFILESIZE=0. And don't forget what we can do with chflags on bsd: evil@crescent:~$ rm .bash_history evil@crescent:~$ touch .bash_history evil@crescent:~$ chflags uchg .bash_history evil@crescent:~$ ls -lo .bash_history -rw-r--r-- 1 evil evil uchg 0 Aug 27 17:44 .bash_history evil@crescent:~$ echo blah > .bash_history su: .bash_history: Operation not permitted evil@crescent:~$ Now, how can you prevent nefarious users doing the above? Using bash as an example, setup a .profile and .bashrc that and chflags them sappnd. Do the same to .bash_history. I'm sure you can think of how to do similar things with different shells. > He installed a backdoor on my system, and then attack a bunch > of systems while he was on. He even has a freebsd root kit. :) ^^^^^^^^^^^^^^^^ Trademark of a script kiddy. People you should worry about are those with custom stealth lkm's and other nastyness. > any suggestion to prevent futher break in is apprecaited. > other than "not to run popper" anymore. (grin) If you must allow shell access, limit it accordingly. You may want to look at a small patch that prevents users executing binaries in untrusted directories - http://rabble.uow.edu.au/~nick/security/tpe.stable.diff. > has anyone seen some of these programs he ran/install/compile > before? > > Thanks, > Mac > [ history removed ] Hope the cleanup isn't to bad. :) Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.4.02A.9808271729290.11785-100000>