January 24th, 2002, 12:59 AM
hacked and confused
Hey everyone, i had a freebsd server running version 4.3 and it got hacked by one of my users. I think he used some sort of script but im not sure the only thing open to the outside world is ssh i think he gave over his a account to a pro and had him hack it . I know he did'tdo a brute force hack on ssh because i turned off root log on from ssh so all he could have done was bruteforce a member in the wheel group then crack su login but i checked all of my logs and all logins are accounted for. On the inside ive got mysql running, sendmail and a few other things. I was just wondering if anyone had any ideas off the top of there head.
January 24th, 2002, 01:04 AM
Just from a quick scan (working right now), I'd say check your sendmail. All he has to do is exploit a known service like ftpd or sendmail and he'd have a root shell. Unless you've got a version of ssh that had problems, I'd start there. I'll look into it more when I get some free time but BSD itself is pretty secure.
We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.
January 24th, 2002, 02:31 AM
if I had a dollar for every "script kiddie" who tried to bash his way in my boxes through ssh I'd be a millionaire
if I had a dollar for every administrator I know who's been hacked through the same method I'd be a thousandaire....
doh.... the last instance I saw (and quite in fact posted about a few days ago) the nasty little kid who decided to break in threw in a few sniffers, and played around a bit with our Postfix (mail app, kinda like sendmail only I dont like it as much)
best bet is to burn the box down, restart clean.... patch all and watch those logs!!! gotta watch those logs... you can always backup what you have now, and go through it with a fine toothed comb for something.. but then again how clean is your directory structure and how well do you know all (ahhh yes all even) of your files... me... I dunno all my files inside and out.. box gets burned... start over ... yeah.
Check out your SSH like Vor says... see how old it is... if you've gone a while without patching my first guesses would be SSH, then FTPD.... apache might be a problem too...
and if theres an off chance your running an X server (hummingbird... something like that) that or an X app you may have could have been it...
doh... fun begins eh good luck!!
I\'ll preach my pessimism right out loud to anyone that listens!
I\'m not afraid to be alive.... I\'m afraid to be alone.
January 28th, 2002, 01:16 PM
the Teso crew has released an exploit for sshd (i believe it's been already published on packetstorm) that works for OpenSSH < 3.0.2p1. So if you were running something like 2.5.* you were toasted
also don't rely on logs read after you were hacked, unless you're using one of the "nazi" logging features (logging on another machine or on a fanfold printer) because the first thing a hacker does when s/he gets into a box is erase the logs...
if you say the person had an account on the machine things get more complicated ...you also have to take into consideration things like suid/gid programs and file permissions.
go through everything again and think about what could've happened!
January 29th, 2002, 01:31 AM
Thanks for all of your imput but i figured out what the guy did. He edit his login_conf file and put the file name as /etc/master.passwd and piped the out put to a file then when he re-loged on it displayed the master.passwd file contents then he ran crack on it and a week later had my root password this vulnerability is in freebsd4.3 and before.