From owner-freebsd-security Tue May 18 5:51:20 1999 Delivered-To: freebsd-security@freebsd.org Received: from unix1.it-datacntr.louisville.edu (unix1.it-datacntr.louisville.edu [136.165.4.27]) by hub.freebsd.org (Postfix) with ESMTP id C3329156D6 for ; Tue, 18 May 1999 05:50:46 -0700 (PDT) (envelope-from k.stevenson@louisville.edu) Received: from homer.louisville.edu (ktstev01@homer.louisville.edu [136.165.1.20]) by unix1.it-datacntr.louisville.edu (8.8.8/8.8.7) with ESMTP id IAA24906 for ; Tue, 18 May 1999 08:50:44 -0400 Received: (from ktstev01@localhost) by homer.louisville.edu (8.8.8/8.8.8) id IAA08118 for freebsd-security@freebsd.org; Tue, 18 May 1999 08:50:44 -0400 (EDT) Message-ID: <19990518085043.A6970@homer.louisville.edu> Date: Tue, 18 May 1999 08:50:43 -0400 From: Keith Stevenson To: freebsd-security@freebsd.org Subject: Re: Interesting Attack References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.93.2i In-Reply-To: ; from Kris Kennaway on Tue, May 18, 1999 at 09:19:18AM +0930 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, May 18, 1999 at 09:19:18AM +0930, Kris Kennaway wrote: > > I was getting hundreds of similar packets per day here a few weeks ago, almost > all from different sites, all from spoofed source addresses, to a nonexistent > IP address and on an unobtrusive port number (1584) but the common thread was > that all of the source hosts were running an IRC daemon. I never did find out > conclusively what it was, but my guess is that someone was using my source > address to spoof packets from, and I was seeing reverse probes by the IRC > server. > > It all stopped when I turned on IP unreachables on my firewall.. We just had a Linux box fall victim to the WuFTPD/realpath(3) exploit. The cracker installed a slew of IRC tools, a sniffer, and a scanner which behaved very similarly to what you described. Thankfully it was on a switched network which limited the damage done by the sniffer, and the script-kiddie who broke in neglected to install the trojans included in his root-kit. This made the ircd very easy to find once the Linux-user noticed that his system load was awfully high. Anyway, since this thing had "root-kit" written all over it, it wouldn't surprise me in the slightest if there are lots of broken linux boxen on the internet running these scans. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message