# How was my server hacked and how to prevent it?



## macgruder (Sep 2, 2012)

It seems my FreeBSD Server 7.2 was hacked. 
 FreeBSD 7.2-RELEASE #0:  amd64

I'm wondering if from the information below anyone can shed light or give me a hint how this may have happened (or what this particular attack is called). I didn't allow SSH root access. There are 2 sudoers and they both have very very strong passwords. There were a number of login attempts prior but nothing to suggest it was possible to break a password. Nothing apart from below _seems_ to have changed. A run of chkrootkit shows nothing. It seems that the /usr/bin/ssh file itself was changed first but it's difficult to see how this could have occurred.

A search of changed files in the order they changed shows this: 
_Note the 501 user rather than wheel_
1 The actual /usr/bin/ssh binary has been switched

```
# ll /usr/bin/ssh
-rwxr-xr-x  1 root  501  218480 Aug 31 11:20 /usr/bin/ssh"
```

2.

```
-rw-r--r--  1 root  501      3635 Aug 31 11:24 sshd_config
```
which changed 

```
PermitRootLogin yes
```


3. A file /usr/include/log.h appeared with plain passwords of users who had logged in via SSH.  


The logs in auth.log have

```
Aug 31 11:25:42 serv sshd[68450]: Server listening on :: port 22.
Aug 31 11:25:42 serv sshd[68450]: Server listening on 0.0.0.0 port 22.
Aug 31 11:25:50 serv sshd[68452]: error: Bad prime description in line 186
Aug 31 11:25:50 serv sshd[68452]: error: Bad prime description in line 187
Aug 31 11:25:50 serv sshd[68452]: error: Bad prime description in line 188
Aug 31 11:25:50 serv sshd[68452]: error: Bad prime description in line 189
Aug 31 11:25:50 serv sshd[68452]: error: Bad prime description in line 190
Aug 31 11:25:50 serv sshd[68452]: error: Bad prime description in line 191
```




Fortunately, the hack broke my SFTP and I was able to SSH in, change passwords, reset the ssh_config etc. (obviously I'm aware that these passwords may not be safe etc. until a reinstall). 


portaudit has just this:
serv# sudo portaudit -Fda

```
auditfile.tbz                                 100% of   79 kB  216 kBps
New database installed.
Database created: Sun Sep  2 10:00:02 UTC 2012
Affected package: automake-1.10.1
Type of problem: automake -- Insecure  distcheck  recipe granted world-writable distdir.
Reference: http://portaudit.FreeBSD.org/36235c38-e0a8-11e1-9f4d-002354ed89bc.html

Affected package: automake-1.9.6_3
Type of problem: automake -- Insecure  distcheck  recipe granted world-writable distdir.
Reference: http://portaudit.FreeBSD.org/36235c38-e0a8-11e1-9f4d-002354ed89bc.html

2 problem(s) in your installed packages found.
```
Presumably I just need to delete the above. But I don't think that was the vector.


----------



## SirDice (Sep 2, 2012)

Support for 7.2 ended 2 years ago. You also seem to be running a pristine release version, i.e. it has no security patches. Since the release and the end-of-life there have been numerous security patches to the base. Any one of those could have been abused. Any one of the bugs that were found after the end-of-life could also have been abused.

In short, running an unpatched and unsupported version is probably what bit you.


----------



## macgruder (Sep 2, 2012)

Thanks for the quick reply. So clearly the thing to do is update to Version 8.

Just one question. (Apologies for the beginner's nature of it). How precisely do I check for security patches to the base?


----------



## SirDice (Sep 2, 2012)

macgruder said:
			
		

> So clearly the thing to do is update to Version 8.


And keeping it up to date this time.



> How precisely do I check for security patches to the base?


Patched versions will have a -p1, -p2, etc. appended to the version. For example: 8.3-RELEASE-p4.

http://www.freebsd.org/security/advisories.html


----------



## macgruder (Sep 2, 2012)

Updating from Version 7 to 8.3 is a bit scary for me via SSH. 

Of course, I've Googled exactly how to do it but there is almost too much information. Do you have a resource you recommend for how to do this?

Many thanks for your help.


----------



## SirDice (Sep 2, 2012)

macgruder said:
			
		

> Updating from Version 7 to 8.3 is a bit scary for me via SSH.


Don't mess with a hacked server. Backup the data and do a clean install. There's no way to tell what has been modified and you can't trust anything anymore.


----------



## macgruder (Sep 2, 2012)

Got it. Thanks for your advice.


----------



## macgruder (Sep 2, 2012)

For those interested it turned out to be a vulnerability in Telnet. Of course, this has been fixed in supported versions of FreeBSD. Lesson learnt.


----------



## kpa (Sep 2, 2012)

Disable telnetd(8) entirely (in fact disable inetd(8) too), it's really not needed anymore since you can arrange remote logins with sshd(8).


----------



## macgruder (Sep 2, 2012)

I'd just disabled telnet by commenting it out in the inetd config and restarting inetd. You recommend I simply stop inetd ?


----------



## kpa (Sep 2, 2012)

Unless you have a service that must be run from inetd(8) I recommend that you stop it and disable it in /etc/rc.conf


----------



## fluca1978 (Sep 3, 2012)

kpa said:
			
		

> Disable telnetd(8) entirely (in fact disable inetd(8) too), it's really not needed anymore since you can arrange remote logins with sshd(8).



Unluckily there are still some old crap software (mainly proprietary) that requires users to connect via telnet. I remember I had to battle for a month to switch a whole company to use ssh for their terminal access!


----------



## anton (Sep 4, 2012)

```
man security
```
 is an essential introduction as well.


----------



## SirDice (Sep 4, 2012)

There's also [thread=4108]Unofficial FreeBSD Security Checklist / Links / Resources[/thread].


----------

