Just FYI, mungkin mail berikut bisa jadi salah satu pertimbangan bila anda masih menggunakan telnetd untuk memanage mesin secara remote. toh negara ini (indonesia) tidak ada batasan untuk penggunaan enkripsi.
ps: jangan lihat OS nya, karena kita masih di un*x juga. -cmiiw , n maaf kalo terkesan cross-posting. ----* Date: Wed, 14 Nov 2001 09:58:44 -0500 (EST) From: Chris Thomas <[EMAIL PROTECTED]> To: Stefan Probst <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED], Rob Hurle <[EMAIL PROTECTED]> Subject: Re: AdoreWorm In-Reply-To: <5.1.0.14.2.20011114183520.01e71d20@MailServer> Message-ID: <[EMAIL PROTECTED]> List-Archive: <http://docs.freebsd.org/mail/> (Web Archive) As other people have suggested numerous times on this list, do not use telnetd! Telnet uses plain text IP packets, meaning _anything_ you type can be read by _anyone_ sniffing packets along the route or at certain machines. If you manage your machine remotely, this means your root password, user account passwords and other sensitive information which can lead to this sort of attack happening again. Please, use ssh, as it encrypts your traffic so that it is unreadable to the human eye, keeping your passwords and activity hidden. Also, be sure to disable login available as root, as this is just not a good idea. In short, whether or not the version of telnetd you are using is patched, telnet is insecure, deprecated and lastly insecure. There is no reason I can think of to use it on any modern server, because ssh clients are widely and freely available for every platform. To end this message out, do not use telnetd! -chris On Wed, 14 Nov 2001, Stefan Probst wrote: > Hi, > > some hours later, lots of grey hair more, but feeling more safe now.... > > As it looks now, somebody in Romania used most probably the telnetd hole > (because there were no other unused services running, and it would be hard > to believe, that somebody on a dial-up line in Romania can sniff telnet > passwords, which usually go from Vietnam via Hongkong to the EastCost) and > got somehow root access. They installed then this AdoreBSD. Luckily, as it > looks right now (I might be wrong), they didn't do anything else - at least > nothing major. > > They furthermore installed from http://www.psychoid.lam3rz.de the psyBNC, > which is obviously kind of an "special" IRC relay ??? > > This psyBNC left a logfile, and I have their ISP now: warpnet.ro, including > some IP numbers, which they used. Not sure, what I should do with that. > > This psyBNC is installed in a directory, with a single space as the name: > /root/ /bsd.tgz > /root/ /bsd/scan-a > /root/ /bsd/telnet > /root/ /bsd/statdx2.tgz > /root/ /bsd/statdx2/luckgo > /root/ /bsd/statdx2/luckscan-a > /root/ /bsd/statdx2/luckstatdx > /root/ /bsd/statdx2/wu > /root/ /psybnc/ > > > Status as of now: > - I deleted /bin/xterm (since I saw that entry in rc.conf) > - I replaced ps with a version, which I downloaded from another server > Luckily, that worked, and I could see the processes again. > - I killed all ./cons.saver processes > - I killed all /bin/xterm processes > - I killed all ./psybnc processes > - To apply the patch as written on the FreeBSD site, didn't work, > because my /usr/src/ directory was empty. > - I tried ssh (which is ok now) to make sure, that I am not locked out, > in case I crash telnetd. > - I replaced telnetd with a patched version which I downloaded > from the other server. > Still can log on. > - I restarted inetd successfully. > - I renamed .fx/cons.saver to be sure, that this is not restarted again > - I changed the root password (not sure, whether this was necessary) > - I replaced rc (I am really lucky, that this is one of the few files, > which I (nosy) downloaded some time ago, so I have a clean copy here) > and rc.conf > - I renamed that /root/ / to something different - to be sure, > that the files in there cannot be started by an unknown process again. > > Outstanding > - find more remains. > - the /var/log/... files are still not written, i.e. size still "0". ??? > > Open Questions: > - I know, that > * ps, telnetd have been replaced > * /var/log/messages has been renamed to "menssages" > * rc, rc.conf have been edited > * processes were started: cons.saver, xterm, psybnc > What more happened / needs to be re-installed/deleted/killed...? > - there is a short file "/etc/syslog.conf.lock" what is this? > Delete it? > > > Thanks to everybody, > Stefan ----* Quoting sonny geovani, <no.id> on Thu, Nov 15, 2001 at 06:38:06AM +0700: > install telnet-server nya. kalau di redhat-7.1&7.2 hasil nya langsung > bikin file telnet di dalem /etc/xinetd.d/. isi file nya sbb: > > # default: on > # description: The telnet server serves telnet sessions; it uses \ > # unencrypted username/password pairs for authentication. > service telnet > { > flags = REUSE > socket_type = stream > wait = no > user = root > server = /usr/sbin/in.telnetd > log_on_failure += USERID > disable = yes > } > > default nya dia disable. jadi kalau mau menggunakan telnet tinggal > rubah disable = yes ----> disbale = no > saran saya sih kalau ingin menggunakan telnet-server tolong dilihat > update-security nya. soal nya telnet beberapa waktu yang lalu pernah > bermasalah di banyak varian unix (kecuali openbsd) > > sonny geovani > > >Dear Admin, > >saya coba install mandrake 8. > >inetd.conf ternyata di /etc/xinet.d (kalo gak salah). > >trus kalo kita mau konfigure sbg. telnet server scriptnya bagaimana ya > ? > >regards -- Firman Pribadi -------------- http://ragiel.dhs.org
msg01008/pgp00000.pgp
Description: PGP signature
