Yeah it sucks, the miscreants run 24/7 365. My guess is home systems
are targeted a lot because there's only an 'IT Dept' of one.
Lots of good stuff in base and the ports collection. mtree can be
extended to check file integrity for anything you've modified and
other local stuff (something I need to do).
OpenBSD has always rocked for providing very current versions of
snort. barnyard2 compiles cleanly on obsd.
IIRC swatch can email you on log events. i.e. I know I haven't logged
onto the server for 2 weeks, why was there an unsuccessful (or yikes
successful) su/sudo attempt at 0237 when I was sleeping.
Got sagan-1.0.0RC4 set up earlier and was greeted with this alert:
[**] [1001:1] sagan_blacklist: Address found in blacklist [**]
[Classification: Blacklist] [Priority: 1]
2014-08-15 22:58:01 61.174.51.214:1514 -> 127.0.0.1:1514 daemon warning
Message: Aug 15 22:57:55.617311 rule 7/(match) block in on rl0:
61.174.51.214.6000 > xxx.xxx.xxx.xxx.22: S 1496842240:1496842240(0)
win 16384 [tos 0x20]
And snort (timestamps are messed up):
04/21-15:21:46.000067 [**] [1:2100528:6] <snort> GPL SCAN loopback
traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2]
{UDP} 127.0.0.1:53 -> 172.xxx.xxx.xxx:31105
12/30-19:03:17.000065 [**] [1:2100528:6] <snort> GPL SCAN loopback
traffic [**] [Classification: Potentially Bad Traffic] [Priority: 2]
{UDP} 127.0.0.1:53 -> 172.xxx.xxx.xxx:3117
So you're not alone. Good Luck
On Thu, Aug 14, 2014 at 8:54 PM, Scott Bonds <sc...@ggr.com> wrote:
> I run an OpenBSD 5.5-stable amd64 server at home. Email, web, etc. Today
> I was doing some maintenance and I found my way to /etc/rc.local. When I
> opened it I saw this:
>
> $ cat rc.local
> # $OpenBSD: rc.local,v 1.44 2011/04/22 06:08:14 ajacoutot Exp $
>
> # Site-specific startup actions, daemons, and other things which
> # can be done AFTER your system goes into securemode. For actions
> # which should be done BEFORE your system has gone into securemode
> # please see /etc/rc.securelevel.
> cd /etc;./sfewfesfs
> cd /etc;./gfhjrtfyhuf
> cd /etc;./rewgtf3er4t
> cd /etc;./sdmfdsfhjfe
> cd /etc;./gfhddsfew
> cd /etc;./ferwfrre
> cd /etc;./dsfrefr
>
> I don't remember adding those lines to my rc.local file.
>
> $ cd /etc && ls -al ./sfewfesfs
> -rwsrwsrwt 1 root wheel 694680 Apr 4 07:47 /etc/sfewfesfs
>
> $ file dsfrefr dsfrefr: ELF 32-bit LSB executable, Intel 80386, version
> 1, statically linked, stripped
>
> Seems odd to have a bunch of randomly named executibles running at boot.
> And that they are compiled for 386 (I'm running amd64), and that they have
> suid set, and to root.
>
> $ clamscan *
> dsfrefr: OK
> ferwfrre: OK
> gfhddsfew: OK
> gfhjrtfyhuf: OK
> rc.local: OK
> rewgtf3er4t: OK
> sdmfdsfhjfe: OK
> sfewfesfs: OK
> Scanned directories: 0
> Scanned files: 8
> Infected files: 0
> Data scanned: 3.21 MB
> Data read: 3.20 MB (ratio 1.00:1)
> Time: 10.842 sec (0 m 10 s)
>
> Hmm, ok let's run one.
>
> $ ./dsfrefr
> ./dsfrefr[1]: syntax error: `(' unexpected
>
> That's all any of them say when run.
>
> So...have I been p0wned or does anyone know what innocent thing might be
> happening here? Please CC sc...@ggr.com on any replies, as I'm not
> subscribed to updates from the list.
