It seems my FreeBSD Server 7.2 was hacked.
FreeBSD 7.2-RELEASE #0: amd64
I'm wondering if from the information below anyone can shed light or give me a hint how this may have happened (or what this particular attack is called). I didn't allow SSH root access. There are 2 sudoers and they both have very very strong passwords. There were a number of login attempts prior but nothing to suggest it was possible to break a password. Nothing apart from below seems to have changed. A run of chkrootkit shows nothing. It seems that the /usr/bin/ssh file itself was changed first but it's difficult to see how this could have occurred.
A search of changed files in the order they changed shows this:
Note the 501 user rather than wheel
1 The actual /usr/bin/ssh binary has been switched
2.
which changed
3. A file /usr/include/log.h appeared with plain passwords of users who had logged in via SSH.
The logs in auth.log have
Fortunately, the hack broke my SFTP and I was able to SSH in, change passwords, reset the ssh_config etc. (obviously I'm aware that these passwords may not be safe etc. until a reinstall).
portaudit has just this:
serv# sudo portaudit -Fda
Presumably I just need to delete the above. But I don't think that was the vector.
FreeBSD 7.2-RELEASE #0: amd64
I'm wondering if from the information below anyone can shed light or give me a hint how this may have happened (or what this particular attack is called). I didn't allow SSH root access. There are 2 sudoers and they both have very very strong passwords. There were a number of login attempts prior but nothing to suggest it was possible to break a password. Nothing apart from below seems to have changed. A run of chkrootkit shows nothing. It seems that the /usr/bin/ssh file itself was changed first but it's difficult to see how this could have occurred.
A search of changed files in the order they changed shows this:
Note the 501 user rather than wheel
1 The actual /usr/bin/ssh binary has been switched
Code:
# ll /usr/bin/ssh
-rwxr-xr-x 1 root 501 218480 Aug 31 11:20 /usr/bin/ssh"
2.
Code:
-rw-r--r-- 1 root 501 3635 Aug 31 11:24 sshd_config
Code:
PermitRootLogin yes
3. A file /usr/include/log.h appeared with plain passwords of users who had logged in via SSH.
The logs in auth.log have
Code:
Aug 31 11:25:42 serv sshd[68450]: Server listening on :: port 22.
Aug 31 11:25:42 serv sshd[68450]: Server listening on 0.0.0.0 port 22.
Aug 31 11:25:50 serv sshd[68452]: error: Bad prime description in line 186
Aug 31 11:25:50 serv sshd[68452]: error: Bad prime description in line 187
Aug 31 11:25:50 serv sshd[68452]: error: Bad prime description in line 188
Aug 31 11:25:50 serv sshd[68452]: error: Bad prime description in line 189
Aug 31 11:25:50 serv sshd[68452]: error: Bad prime description in line 190
Aug 31 11:25:50 serv sshd[68452]: error: Bad prime description in line 191
Fortunately, the hack broke my SFTP and I was able to SSH in, change passwords, reset the ssh_config etc. (obviously I'm aware that these passwords may not be safe etc. until a reinstall).
portaudit has just this:
serv# sudo portaudit -Fda
Code:
auditfile.tbz 100% of 79 kB 216 kBps
New database installed.
Database created: Sun Sep 2 10:00:02 UTC 2012
Affected package: automake-1.10.1
Type of problem: automake -- Insecure distcheck recipe granted world-writable distdir.
Reference: http://portaudit.FreeBSD.org/36235c38-e0a8-11e1-9f4d-002354ed89bc.html
Affected package: automake-1.9.6_3
Type of problem: automake -- Insecure distcheck recipe granted world-writable distdir.
Reference: http://portaudit.FreeBSD.org/36235c38-e0a8-11e1-9f4d-002354ed89bc.html
2 problem(s) in your installed packages found.