system breach

David Todd mobilepolice at gmail.com
Fri Dec 29 04:21:26 PST 2006 

something's up, nothing in ports will write to a /tmp/download
directory, so either you or someone with root access did it.

I suggest:
checking /var/log/auth.log for attempted breachings

run sockstat and look for processes with ports open that shouldn't
have ports open.

conftest cores ususally mean a ./configure was issued and parts of
said configure failed, them being so far apart suggests that some work
was done to the configure script to fix it.

If you didn't install anything from ports at or around those periods
of time, then someone was running a configure script to build
something on the machine.

I wouldn't be overly concerned that if you're dealing with a breach,
you're dealing with anyone who is compitent, change your passwords,
check auth.log for ssh connections and look at sockstat to see if any
programs are running that are listening on ports (that shouldn't be)

David

On 12/28/06, gareth <bsd at lordcow.org> wrote:
> hey guys, my server rebooted a few days ago, and while i was
> looking around for possible reasons (none came up, which's
> disconcerting in itself) i found this suspicious directory:
>
> $ ls -l /tmp/download
> total 44
> drwxr-xr-x  4 root  wheel    512 Oct 23 16:28 Archive_Tar-1.3.1
> drwxr-xr-x  3 root  wheel    512 Oct 23 16:28 Console_Getopt-1.2
> drwxr-xr-x  3 root  wheel    512 Oct 23 16:28 XML_RPC-1.5.0
> -rw-r--r--  1 root  wheel  15433 Jul 12 02:09 package.xml
> -rw-r--r--  1 root  wheel  22193 Jul 12 02:09 package2.xml
>
>
> the subdirs contain a bunch've .php files, and the xml files
> are info about version updates of PEAR'S "XML-RPC for PHP".
> they're owned by root (only i have the passwd) so it wasn't
> made by a local user, and i assume it wasn't made by portupgrade
> or something like that?
>
> so, i've got no idea how that dir got there, i'm guessing via
> some web exploit that i still need to look into, and /tmp
> is mounted 'exec' for some legit processes to function, can't
> remember which, so it's possible they were able to upload
> something and run it. chkrootkit which i've only just installed
> seems clear.
>
> anyway, i'm trying to figure out when this happened to have
> something to go on, and i don't understand the stat command,
> for example:
>
> $ stat /tmp/download/package2.xml
> 60 49356 -rw-r--r-- 1 root wheel 198776 22193 "Dec 28 04:03:50 2006" "Jul 12 02:09:14 2006" "Oct 23 16:28:28 2006" "Jul 12 02:09:14 2006" 4096 44 0 /tmp/download/package2.xml
>
> taking hints from 'stat -x' and 'stat -s' i gather this means:
>
> access time = Dec 28 04:03:50 2006
> modify time = Jul 12 02:09:14 2006
> change time = Oct 23 16:28:28 2006
> birth  time = Jul 12 02:09:14 2006
>
> now how much of these dates are local or carried over from the source system,
> since my system was created at 08:00 on 21 Oct 2006 (ie. the Jul dates don't
> make sense)? (also what's the difference between modify and change time?)
>
> essentially is there a way i can tell when the files were put there?
>
> this's the directory's info too:
>
> $ stat /tmp/download
> 60 49346 drwxr-xr-x 5 root wheel 196642 512 "Dec 29 00:53:16 2006" "Oct 23 16:28:28 2006" "Oct 23 16:28:28 2006" "Oct 23 16:28:28 2006" 4096 4 0 /tmp/download
>
>
>
>
> ps. out've interest:
>
> this's the only suspicious thing in the logs i could find:
>
> Oct 23 00:31:42 lordcow kernel: pid 48464 (conftest), uid 0: exited on signal 12 (core dumped)
> Oct 23 01:19:26 lordcow kernel: pid 17512 (conftest), uid 0: exited on signal 12 (core dumped)
>
> though from google it seems it could be an innocent apache thing.
>
> also around the 23rd or 24th of Oct i started taking md5sums of all the files in the bin and lib
> directories, and they haven't changed without my knowledge since then. course that doesn't help
> if the breach was in the 2 odd days before this and after the system was created. also, snort
> hasn't reported anything overly suspicious, and all packages are kept up to date.
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
>

More information about the freebsd-stable mailing list