Strange command histories in hacked shell server
security at revolutionsp.com
security at revolutionsp.com
Fri Dec 17 08:52:05 PST 2004
You should have a script that creates a new user when people login with
'new'. Have you forbid that script from overwriting your wheel account and
re-creating root?
> Hi,
>
> Sorry for cross posting.
>
> I have with FreeBSD 5.3-stable server which serves as a public shell
> server.
>
> FreeBSD public.ub.mng.net 5.3-STABLE FreeBSD 5.3-STABLE #6: Wed Nov 24
> 15:55:36 ULAT 2004 tsgan at public.ub.mng.net:/usr/obj/usr/src/sys/PSH
> i386
>
> It has ssh and proftp-1.2.10 daemons.
>
> However it was hacked and I'm trying to analyze it and having some
> difficulties.
>
> Machine is configured in such way that everyone can create an account
> itself.
> Some user dir permissions:
> ...
> drwxr-xr-x 2 root wheel 512 Mar 29 2004 new
> drwx------ 3 tamiraad unix 512 Apr 9 2004 tamiraad
> drwxr-xr-x 6 tsgan tsgan 1024 Dec 16 17:51 tsgan
> drwx------ 4 tugstugi unix 512 Dec 13 20:34 tugstugi
> drwxr-xr-x 5 unix unix 512 Dec 13 12:37 unix
> ...
> User should log on as new with password new to create an account.
>
> Accounting is enabled and kern.securelevel is set to 2.
> Only one account 'tsgan' is in wheel group and only tsgan gan become root
> using su.
>
> Following is the some strange output from grave-robber (coroner toolkit):
> ...
> Dec 13 04 20:18:40 5 m.c -rw-rw---- tugstugi
> smmsp /var/spool/clientmqueue/dfiBDCIeD0001529
> Dec 13 04 20:34:58 512 m.. drwx------ tugstugi unix
> /home/tugstugi
> Dec 13 04 20:35:57 512 ..c drwx------ tugstugi unix
> /home/tugstugi
> Dec 14 04 00:19:56 0 m.c -rw-rw-rw- tugstugi
> unix /home/tugstugi/.myrc
>
> Dec 14 04 00:20:50 9665 m.. -rw-r--r-- tugstugi
> unix /home/tsgan/.tmp/known_hosts
> 9665 m.c -rw-r--r-- tugstugi
> unix /home/tugstugi/.ssh/known_hosts
>
> Dec 15 04 19:12:21 1002 m.c -rw------- tugstugi
> unix /home/tugstugi/.shrc
> ...
> Somehow he seems like copied /home/tugstugi/.ssh/known_hosts to
> home/tsgan/.tmp/known_hosts.
> I don't know why.
>
>
> Following is lastcomm output:
> ...
> sshd -F tugstugi __ 0.16 secs Tue Dec 14
> 23:01
> sh - tugstugi #C:5:0x1 0.03 secs Tue Dec 14
> 23:02
> su - tugstugi #C:5:0x1 0.02 secs Tue Dec 14
> 23:38
> ...
> sshd -F tugstugi __ 0.08 secs Tue Dec 14
> 22:41
> sh - tugstugi #C:5:0x1 0.02 secs Tue Dec 14
> 22:41
> who - tugstugi #C:5:0x1 0.00 secs Tue Dec 14
> 22:52
> su - tugstugi #C:5:0x1 0.02 secs Tue Dec 14
> 22:48
> sh - tsgan #C:5:0x1 0.00 secs Tue Dec 14
> 22:48
> ls - tsgan #C:5:0x1 0.00 secs Tue Dec 14
> 22:52
> su - tsgan #C:5:0x1 0.02 secs Tue Dec 14
> 22:49
> csh - root #C:5:0x1 0.03 secs Tue Dec 14
> 22:49
> ...
>
> In above I think he already hijacked my account and root password so he
> used su to
> become root.
>
> sshd -F tsgan __ 0.02 secs Tue Dec 14
> 00:27
> sh - tsgan ttyp0 0.02 secs Tue Dec 14
> 00:27
> cat - tsgan ttyp0 0.00 secs Tue Dec 14
> 00:28
> su - tsgan ttyp0 0.00 secs Tue Dec 14
> 00:28
> sleep - tsgan ttyp0 0.00 secs Tue Dec 14
> 00:27
> ^^^^^^
> stty - tsgan ttyp0 0.00 secs Tue Dec 14
> 00:27
> stty - tsgan ttyp0 0.00 secs Tue Dec 14
> 00:27
> ^^^^^^
> fortune - tsgan ttyp0 0.00 secs Tue Dec 14
> 00:27
> ...
>
> I don't quite understand why he used sleep and stty commands in above.
> My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
>
> sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:24
> stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:24
> stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:24
> ...
> id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:24
> sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:24
> stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:24
> stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:24
> id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:24
> cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14
> 00:24
> ls - tsgan #C:5:0x2 0.00 secs Tue Dec 14
> 00:24
> su - tsgan #C:5:0x2 0.02 secs Tue Dec 14
> 00:23
> sh - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:23
> ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:23
> id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:23
> ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:23
> sleep - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:23
> stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:23
> stty - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:23
> ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:23
> id - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:23
> ls - tugstugi #C:5:0x2 0.00 secs Tue Dec 14
> 00:23
> cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14
> 00:23
> su - tsgan #C:5:0x2 0.02 secs Tue Dec 14
> 00:23
> cat - tsgan #C:5:0x2 0.00 secs Tue Dec 14
> 00:22
> sleep - tsgan #C:5:0x2 0.00 secs Tue Dec 14
> 00:22
> stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14
> 00:22
> stty - tsgan #C:5:0x2 0.00 secs Tue Dec 14
> 00:22
> fortune - tsgan #C:5:0x2 0.00 secs Tue Dec 14
> 00:22
> ...
> One more strange thing is "#C:5:0x2". What is this?
>
> Again I'm suspecting that, this guy hijacked my tty and got tsgan and then
> he could log my keystroke and
> get root password. Am I right?
>
> Please give me some advice and info regarding this kind of hack.
> What should I do in order to secure my shell server? I mean except
> securelevel, unneeded services etc.
> Can somebody give me some hints on file and directory permissions?
> Is there anybody who has similar server config and already had such issues
> and problems?
> I appreciate very much if somebody will help me in this regard.
>
> thanks in advance,
>
> Ganbold
>
> _______________________________________________
> freebsd-hackers at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
> To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
>
More information about the freebsd-hackers
mailing list