From owner-freebsd-security Mon Jul 28 17:03:34 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA14165 for security-outgoing; Mon, 28 Jul 1997 17:03:34 -0700 (PDT) Received: from mail.MCESTATE.COM (vince@mail.MCESTATE.COM [207.211.200.50]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA14157 for ; Mon, 28 Jul 1997 17:03:29 -0700 (PDT) Received: from localhost (vince@localhost) by mail.MCESTATE.COM (8.8.5/8.8.5) with SMTP id RAA07160; Mon, 28 Jul 1997 17:03:20 -0700 (PDT) Date: Mon, 28 Jul 1997 17:03:19 -0700 (PDT) From: Vincent Poy To: "Jordan K. Hubbard" cc: security@FreeBSD.ORG, "[Mario1-]" , JbHunt Subject: Re: security hole in FreeBSD In-Reply-To: <5496.870134385@time.cdrom.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Mon, 28 Jul 1997, Jordan K. Hubbard wrote: =)> Well, because I connect to the system using telnet ;) Also, this =) =)That proves absolutely nothing. You think I can't hack a telnetd to =)provide multiple "services?" Wake up, Vinnie! :-) Ofcourse you could but you're not in the same type of hacking business this guy is in. This is a log of a irc chat session. >From johnnyu@accessus.net Mon Jul 28 17:01:43 1997 Date: Mon, 28 Jul 1997 18:38:32 -0500 (CDT) From: NoHackMe! To: security@netcom.com Cc: vince@mcestate.com, mario1@primenet.com Subject: Logs (Gaianet.net) Here is a log I just got from talking with theca the hacker! Session Start: Mon Jul 28 18:16:14 1997 [18:16] yeah [18:16] hi [18:16] wasup that was nice of you last night [18:16] what? pasting the root pass all over efnet? yea [18:16] so was icmp pinging me you shouldn't have hacked the machine [18:17] i was nice till that started aside from that the minor ping that you got was nothing you have created a HUGE DOS situation for the entire company [18:17] i'll show you all the pings i got [18:17] 1 sec. I don't care? [18:17] ok You were pinged why? [18:18] why am i causing a dos? [18:18] bring your machines back up well let's see you changed the root passwd handed it out [18:18] Jul 28 02:29:45 soma icmplog: ping from venus.GAIANET.NET [18:18] Jul 28 02:30:19 soma last message repeated 10 times [18:18] Jul 28 02:31:20 soma last message repeated 18 times [18:18] Jul 28 02:32:04 soma last message repeated 64 times [18:18] Jul 28 02:38:52 soma last message repeated 31 times [18:18] Jul 28 02:39:53 soma last message repeated 54 times [18:18] Jul 28 02:40:54 soma last message repeated 60 times [18:18] Jul 28 02:41:37 soma last message repeated 42 times [18:18] i changed the root passwd to 'root' someone changed the inetd.conf and rebooted [18:18] yeah [18:18] i didn't do that so now all the machines are pretty much denying all hosts we don't care to much [18:19] one of the windows lusers who saw my paste as far as we're concerned your the cause of the problem [18:19] umm [18:19] why don't you fix the inetd.conf let's put it like this [18:19] instead of bitching about it that system is admin'd remotely that system is admin'd remotely [18:20] so NO one has physical access to the machine? your actions caused the main unix boxes on the lan not at the present time the owners are out of the country [18:20] so go drive over there or something and boot it up [18:20] i told you the root pass... anything I did to you was in an attempt to thwart your efforts to take control all of my feable efforts failed your a super leet spoof aren't you who's caching your dns [18:22] i'm caching it [18:22] on an authorative ns box i rooted Hmm that neet [18:23] yep That would explain why netcom security can't find you on the portmaster ________________________________________ | TheCa (theca@wil-de7-10.ix.netcom.com) | name : No bodies ever knew... | serv : irc.pacbell.net [18:24] tell netcom to change the !root pass on some of their portmasters [18:24] just to be umm safe [18:25] netcom has no security...it's a joke that's good [18:25] netcom shell security is great [18:25] ppp security == null [18:26] they've got the biggest REAL isp (not including aol, etc)...you think they can keep track or even try to keep track of everyone? [18:26] they have well over half a million users you think they can find you? you think they can find you? Session Close: Mon Jul 28 18:32:07 1997 [18:28] Jul 28 19:28:14 soma pppd[16376]: Modem hangup [18:28] Jul 28 19:28:14 soma pppd[16376]: Connection terminated. [18:28] Jul 28 19:28:14 soma pppd[16376]: Exit. [18:29] *clap clap* [18:29] nice [18:30] i'll see if that netcom acct is still up he probably doesn't have the account (!) The time is now 6:30pm. [18:30] something like "connect S0" or the port they just dumped the entire wilmington port [18:30] ah [18:30] heh [18:30] that's stupid [18:30] now there's no way they'll find me ________________________________________ | TheCa_ (theca@phd-as15s15.erols.com) That's it John basically he admits it and implies he has control over at least one of your portmasters and possibly one of your dns servers. This is a serious security issue for us and should be for you. If you have ANY contacts at erols.com please forward this to them and cc us if you would. John Urschel Gaianet Unix Administrator Cheers, Vince - vince@MCESTATE.COM - vince@GAIANET.NET ________ __ ____ Unix Networking Operations - FreeBSD-Real Unix for Free / / / / | / |[__ ] GaiaNet Corporation - M & C Estate / / / / | / | __] ] Beverly Hills, California USA 90210 / / / / / |/ / | __] ] HongKong Stars/Gravis UltraSound Mailing Lists Admin /_/_/_/_/|___/|_|[____]