Re: system breach

something's up, nothing in ports will write to a /tmp/download
directory, so either you or someone with root access did it.

I suggest:
checking /var/log/auth.log for attempted breachings

run sockstat and look for processes with ports open that shouldn't
have ports open.

conftest cores ususally mean a ./configure was issued and parts of
said configure failed, them being so far apart suggests that some work
was done to the configure script to fix it.

If you didn't install anything from ports at or around those periods
of time, then someone was running a configure script to build
something on the machine.

I wouldn't be overly concerned that if you're dealing with a breach,
you're dealing with anyone who is compitent, change your passwords,
check auth.log for ssh connections and look at sockstat to see if any
programs are running that are listening on ports (that shouldn't be)


On 12/28/06, gareth <bsd@xxxxxxxxxxx> wrote:
hey guys, my server rebooted a few days ago, and while i was
looking around for possible reasons (none came up, which's
disconcerting in itself) i found this suspicious directory:

$ ls -l /tmp/download
total 44
drwxr-xr-x 4 root wheel 512 Oct 23 16:28 Archive_Tar-1.3.1
drwxr-xr-x 3 root wheel 512 Oct 23 16:28 Console_Getopt-1.2
drwxr-xr-x 3 root wheel 512 Oct 23 16:28 XML_RPC-1.5.0
-rw-r--r-- 1 root wheel 15433 Jul 12 02:09 package.xml
-rw-r--r-- 1 root wheel 22193 Jul 12 02:09 package2.xml

the subdirs contain a bunch've .php files, and the xml files
are info about version updates of PEAR'S "XML-RPC for PHP".
they're owned by root (only i have the passwd) so it wasn't
made by a local user, and i assume it wasn't made by portupgrade
or something like that?

so, i've got no idea how that dir got there, i'm guessing via
some web exploit that i still need to look into, and /tmp
is mounted 'exec' for some legit processes to function, can't
remember which, so it's possible they were able to upload
something and run it. chkrootkit which i've only just installed
seems clear.

anyway, i'm trying to figure out when this happened to have
something to go on, and i don't understand the stat command,
for example:

$ stat /tmp/download/package2.xml
60 49356 -rw-r--r-- 1 root wheel 198776 22193 "Dec 28 04:03:50 2006" "Jul 12 02:09:14 2006" "Oct 23 16:28:28 2006" "Jul 12 02:09:14 2006" 4096 44 0 /tmp/download/package2.xml

taking hints from 'stat -x' and 'stat -s' i gather this means:

access time = Dec 28 04:03:50 2006
modify time = Jul 12 02:09:14 2006
change time = Oct 23 16:28:28 2006
birth time = Jul 12 02:09:14 2006

now how much of these dates are local or carried over from the source system,
since my system was created at 08:00 on 21 Oct 2006 (ie. the Jul dates don't
make sense)? (also what's the difference between modify and change time?)

essentially is there a way i can tell when the files were put there?

this's the directory's info too:

$ stat /tmp/download
60 49346 drwxr-xr-x 5 root wheel 196642 512 "Dec 29 00:53:16 2006" "Oct 23 16:28:28 2006" "Oct 23 16:28:28 2006" "Oct 23 16:28:28 2006" 4096 4 0 /tmp/download

ps. out've interest:

this's the only suspicious thing in the logs i could find:

Oct 23 00:31:42 lordcow kernel: pid 48464 (conftest), uid 0: exited on signal 12 (core dumped)
Oct 23 01:19:26 lordcow kernel: pid 17512 (conftest), uid 0: exited on signal 12 (core dumped)

though from google it seems it could be an innocent apache thing.

also around the 23rd or 24th of Oct i started taking md5sums of all the files in the bin and lib
directories, and they haven't changed without my knowledge since then. course that doesn't help
if the breach was in the 2 odd days before this and after the system was created. also, snort
hasn't reported anything overly suspicious, and all packages are kept up to date.
freebsd-stable@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"

freebsd-stable@xxxxxxxxxxx mailing list
To unsubscribe, send any mail to "freebsd-stable-unsubscribe@xxxxxxxxxxx"