Hi,
Sorry for cross posting.
I have with FreeBSD 5.3-stable server which serves as a public shell server.
FreeBSD public.ub.mng.net 5.3-STABLE FreeBSD 5.3-STABLE #6: Wed Nov 24
15:55:36 ULAT 2004 tsgan@public.ub.mng.net:/usr/obj/usr/src/sys/PSH i386
It has ssh and proftp-1.2.10 daemons.
However it was hacked and I'm trying to analyze it and having some
difficulties.
Machine is configured in such way that everyone can create an account itself.
Some user dir permissions:
...
drwxr-xr-x 2 root wheel 512 Mar 29 2004 new
drwx------ 3 tamiraad unix 512 Apr 9 2004 tamiraad
drwxr-xr-x 6 tsgan tsgan 1024 Dec 16 17:51 tsgan
drwx------ 4 tugstugi unix 512 Dec 13 20:34 tugstugi
drwxr-xr-x 5 unix unix 512 Dec 13 12:37 unix
...
User should log on as new with password new to create an account.
Accounting is enabled and kern.securelevel is set to 2.
Only one account 'tsgan' is in wheel group and only tsgan gan become
root
using su.
Following is the some strange output from grave-robber (coroner toolkit):
...
Dec 13 04 20:18:40 5 m.c -rw-rw---- tugstugi
smmsp /var/spool/clientmqueue/dfiBDCIeD0001529
Dec 13 04 20:34:58 512 m.. drwx------ tugstugi unix /home/tugstugi
Dec 13 04 20:35:57 512 ..c drwx------ tugstugi unix /home/tugstugi
Dec 14 04 00:19:56 0 m.c -rw-rw-rw- tugstugi
unix /home/tugstugi/.myrc
Dec 14 04 00:20:50 9665 m.. -rw-r--r-- tugstugi
unix /home/tsgan/.tmp/known_hosts
9665 m.c -rw-r--r-- tugstugi
unix /home/tugstugi/.ssh/known_hosts
Dec 15 04 19:12:21 1002 m.c -rw------- tugstugi
unix /home/tugstugi/.shrc
...
Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to
home/tsgan/.tmp/known_hosts.
I don't know why.
Following is lastcomm output:
...
sshd -F tugstugi __ 0.16 secs Tue Dec 14 23:01
sh - tugstugi #C:5:0x1 0.03 secs Tue Dec 14 23:02
su - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 23:38
...
sshd -F tugstugi __ 0.08 secs Tue Dec 14 22:41
sh - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 22:41
who - tugstugi #C:5:0x1 0.00 secs Tue Dec 14 22:52
su - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 22:48
sh - tsgan #C:5:0x1 0.00 secs Tue Dec 14 22:48
ls - tsgan #C:5:0x1 0.00 secs Tue Dec 14 22:52
su - tsgan #C:5:0x1 0.02 secs Tue Dec 14 22:49
csh - root #C:5:0x1 0.03 secs Tue Dec 14 22:49
...
In above I think he already hijacked my account and root password so he
used su to
become root.
sshd -F tsgan __ 0.02 secs Tue Dec 14 00:27
sh - tsgan ttyp0 0.02 secs Tue Dec 14 00:27
cat - tsgan ttyp0 0.00 secs Tue Dec 14 00:28
su - tsgan ttyp0 0.00 secs Tue Dec 14 00:28
sleep - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
^^^^^^
stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
^^^^^^
fortune - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
...
I don't quite understand why he used sleep and stty commands in above.
My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24
stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24
stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24
...
id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24
sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24
stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24
stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24
id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:24
cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:24
ls - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:24
su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 00:23
sh - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 00:23
cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:23
su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 00:23
cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
sleep - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
fortune - tsgan #C:5:0x2 0.00 secs Tue Dec 14 00:22
...
One more strange thing is "#C:5:0x2". What is this?
Again I'm suspecting that, this guy hijacked my tty and got tsgan and then
he could log my keystroke and
get root password. Am I right?
Please give me some advice and info regarding this kind of hack.
What should I do in order to secure my shell server? I mean except
securelevel, unneeded services etc.
Can somebody give me some hints on file and directory permissions?
Is there anybody who has similar server config and already had such issues
and problems?
I appreciate very much if somebody will help me in this regard.
thanks in advance,
Ganbold
Did I understand correctly, that anyone can connect to the shell server and create an account for themselves? I have a somewhat rudimentry hardening guide for FreeBSD at http://www.syslog.org/Content-5-4.phtml I've tried to keep it up-to-date, but I have yet to incorporate MAC, which I think will help out a good bit more. I hope you find this a useful. Jerry http://www.syslog.org Ganbold <ganbold <at> micom.mng.net> wrote:>Please give me some advice and info regarding this kind of hack. >What should I do in order to secure my shell server? I mean except >securelevel, unneeded services etc. >Can somebody give me some hints on file and directory permissions? >Is there anybody who has similar server config and already had such issues >and problems?
security@revolutionsp.com
2004-Dec-18 05:54 UTC
Strange command histories in hacked shell server
You should have a script that creates a new user when people login with 'new'. Have you forbid that script from overwriting your wheel account and re-creating root?> Hi, > > Sorry for cross posting. > > I have with FreeBSD 5.3-stable server which serves as a public shell > server. > > FreeBSD public.ub.mng.net 5.3-STABLE FreeBSD 5.3-STABLE #6: Wed Nov 24 > 15:55:36 ULAT 2004 tsgan@public.ub.mng.net:/usr/obj/usr/src/sys/PSH > i386 > > It has ssh and proftp-1.2.10 daemons. > > However it was hacked and I'm trying to analyze it and having some > difficulties. > > Machine is configured in such way that everyone can create an account > itself. > Some user dir permissions: > ... > drwxr-xr-x 2 root wheel 512 Mar 29 2004 new > drwx------ 3 tamiraad unix 512 Apr 9 2004 tamiraad > drwxr-xr-x 6 tsgan tsgan 1024 Dec 16 17:51 tsgan > drwx------ 4 tugstugi unix 512 Dec 13 20:34 tugstugi > drwxr-xr-x 5 unix unix 512 Dec 13 12:37 unix > ... > User should log on as new with password new to create an account. > > Accounting is enabled and kern.securelevel is set to 2. > Only one account 'tsgan' is in wheel group and only tsgan gan become root > using su. > > Following is the some strange output from grave-robber (coroner toolkit): > ... > Dec 13 04 20:18:40 5 m.c -rw-rw---- tugstugi > smmsp /var/spool/clientmqueue/dfiBDCIeD0001529 > Dec 13 04 20:34:58 512 m.. drwx------ tugstugi unix > /home/tugstugi > Dec 13 04 20:35:57 512 ..c drwx------ tugstugi unix > /home/tugstugi > Dec 14 04 00:19:56 0 m.c -rw-rw-rw- tugstugi > unix /home/tugstugi/.myrc > > Dec 14 04 00:20:50 9665 m.. -rw-r--r-- tugstugi > unix /home/tsgan/.tmp/known_hosts > 9665 m.c -rw-r--r-- tugstugi > unix /home/tugstugi/.ssh/known_hosts > > Dec 15 04 19:12:21 1002 m.c -rw------- tugstugi > unix /home/tugstugi/.shrc > ... > Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to > home/tsgan/.tmp/known_hosts. > I don't know why. > > > Following is lastcomm output: > ... > sshd -F tugstugi __ 0.16 secs Tue Dec 14 > 23:01 > sh - tugstugi #C:5:0x1 0.03 secs Tue Dec 14 > 23:02 > su - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 > 23:38 > ... > sshd -F tugstugi __ 0.08 secs Tue Dec 14 > 22:41 > sh - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 > 22:41 > who - tugstugi #C:5:0x1 0.00 secs Tue Dec 14 > 22:52 > su - tugstugi #C:5:0x1 0.02 secs Tue Dec 14 > 22:48 > sh - tsgan #C:5:0x1 0.00 secs Tue Dec 14 > 22:48 > ls - tsgan #C:5:0x1 0.00 secs Tue Dec 14 > 22:52 > su - tsgan #C:5:0x1 0.02 secs Tue Dec 14 > 22:49 > csh - root #C:5:0x1 0.03 secs Tue Dec 14 > 22:49 > ... > > In above I think he already hijacked my account and root password so he > used su to > become root. > > sshd -F tsgan __ 0.02 secs Tue Dec 14 > 00:27 > sh - tsgan ttyp0 0.02 secs Tue Dec 14 > 00:27 > cat - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:28 > su - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:28 > sleep - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:27 > ^^^^^^ > stty - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:27 > stty - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:27 > ^^^^^^ > fortune - tsgan ttyp0 0.00 secs Tue Dec 14 > 00:27 > ... > > I don't quite understand why he used sleep and stty commands in above. > My suspect is tty hijacking. Am I right? Correct me if I'm wrong. > > sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > ... > id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > ls - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:24 > su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 > 00:23 > sh - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:23 > su - tsgan #C:5:0x2 0.02 secs Tue Dec 14 > 00:23 > cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > sleep - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > fortune - tsgan #C:5:0x2 0.00 secs Tue Dec 14 > 00:22 > ... > One more strange thing is "#C:5:0x2". What is this? > > Again I'm suspecting that, this guy hijacked my tty and got tsgan and then > he could log my keystroke and > get root password. Am I right? > > Please give me some advice and info regarding this kind of hack. > What should I do in order to secure my shell server? I mean except > securelevel, unneeded services etc. > Can somebody give me some hints on file and directory permissions? > Is there anybody who has similar server config and already had such issues > and problems? > I appreciate very much if somebody will help me in this regard. > > thanks in advance, > > Ganbold > > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" >