|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Hacked? (UPDATE)
From: Peter Elsner (peter
servplex.com)
Date: Sat May 10 2003 - 15:29:58 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Update, for those that want to know...
The attacker used a worm or bot that tried hundreds (if not thousands) of
connections through SMBD. (Samba).
I was running 2.2.7. I noticed the attempts for a week, but the log file
always showed "access denied" so I wasn't
too worried about it. Well, obviously, one of those attempts got through...
At this time, the worm (or bot) modified the modification date with a
program called systemf (in the /usr/bin directory).
This prevented me from listing last modification dates (all dates in ls
were replaced with the letter f ).
Then he created an /etc/rc.local file and added an entry to start inetd and
a trojaned sshd (on port 44444). I put everything in /usr/local/etc/rc.d
so I didn't originally have an /etc/rc.local.
netstat (in /usr/bin) was renamed to netstats and a new netstat (much
smaller in size) was placed in the /usr/bin directory.
I'm not really sure what this new netstat did.
I believe only the /usr/bin directory and /usr/sbin directory were affected
(after doing quite a bit of research), plus the 2 hidden directories
that were created and the /etc/rc.local file.
The trojaned sshd was stored in /dev/fd/.99 or in /usr/lib/.fx (not sure
which).
I suspect that the passwd and master.passwd files were then emailed or
ftp'd to the hacker for later inspection.
This way, even if I close the Samba hole (which I've done), the trojaned
sshd that he/she put in place would allow
the attacker to get back in using any of the passwords in the
passwd/master.passwd list.
Anyway,
Thanks to all who answered my request for help and more info (both on this
list and privately).
I have completely fdisk'ed the drive and re-installed. I'm now restoring
from last weeks master backup.
Peter
----------------------------------------------------------------------------------------------------------
Peter Elsner <peterservplex.com>
Vice President Of Customer Service (And System Administrator)
1835 S. Carrier Parkway
Grand Prairie, Texas 75051
(972) 263-2080 - Voice
(972) 263-2082 - Fax
(972) 489-4838 - Cell Phone
(425) 988-8061 - eFax
I worry about my child and the Internet all the time, even though she's
too young to have logged on yet. Here's what I worry about. I worry
that 10 or 15 years from now, she will come to me and say "Daddy, where
were you when they took freedom of the press away from the Internet?"
-- Mike Godwin
Unix IS user friendly... It's just selective about who its friends are.
System Administration - It's a dirty job, but somebody said I had to do it.
If you receive something that says 'Send this to everyone you know,
pretend you don't know me.
Standard $500/message proofreading fee applies for UCE.
_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]