I have been hacked (WAS: Have I been hacked or is nmap wrong?)

Will Maier willmaier at ml1.net
Wed Jan 18 06:26:10 PST 2006 

On Wed, Jan 18, 2006 at 03:56:32PM +0200, Kilian Hagemann wrote:
> I have never even heard of "frox" before, but after some googling
> it turns out that it's a GPL'ed transparent ftp proxy...

Where's it pointing?

> Also, I said smtp ports were open on the machines in question, I
> just verified that I can send emails via BOTH these systems even
> though no sendmail/exim/whatever was ever installed by me and
> sendmail_enable="None" on both.

What do you see when you connect to the SMTP ports? Are they really
mail servers, or just rogue services running on 25?

> My servers have been compromised, fantastic. And that with an
> initial firewall'ed setup that left NO open ports (I verified that
> a while ago with nmap). So much for my impression that FreeBSD was
> secure.

My condolences; what you describe, though, doesn't really suggest
that /FreeBSD/ is insecure. In the vast majority of these situations
(and yes, I have found myself in your shoes before), the operator
(you or I) is to blame.

> How could this have happened? ipfw buffer overflow? Some other
> unknown vulnerability?

Ockham's razor: the simplest is also the most likely solution.
You're running Samba; is there any chance that that service or your
configuration of it could have opened a hole? How many people have
user accounts on that box? Do you allow
ChallengeResponseAuthentication on SSH? Key only?

> I really wanna find out how they got in (syslog offers no clues
> btw, I've been rootkitted after all :-( 

You'll need to do a more sophisticated forensic analysis, then, to
figure out what happened. Some basic questions: were you running a
file integrity monitor? What did it say? Do you have logs that were
remotely backed up (and, therefore, likely still accurate)? What do
they say? Do you have any network monitoring that might have
recorded an intrusion? What services /should/ be running on the box
(I don't think this was ever actually listed -- it would be useful
to know)? Do you have dumps of the traffic leaving or entering the
box?

Again, this is a tough and very unfortunate position to be in -- I
sympathize. It may very well not be worth the time it takes to fully
investigate the source of the compromise. Real forensic analysis is
outside most of our job descriptions; I know that my skillset
doesn't cover it well enough. An inept investigation can be much
worse than no investigation at all: consider (if you can afford it)
bringing in someone who can do a quick, good job of it.

> Any suggestions other than format/reinstall/tripwire?

I can't think of any better ideas. Certainly, I'd add updating the
system to your list. Even if the Security Alerts don't seem to
effect your set up, I find it's good practice to apply them in a
reasonable amount of time. At the very least, it keeps me in touch
with my boxes and lets me develop a routine in case an alert does
effect me.

Good luck!

-- 

o--------------------------{ Will Maier }--------------------------o
| jabber:..wcmaier at jabber.ccc.de | email:..........wcmaier at ml1.net |
| \.........wcmaier at cae.wisc.edu | \..........wcmaier at cae.wisc.edu |
*------------------[ BSD Unix: Live Free or Die ]------------------*

More information about the freebsd-questions mailing list