Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 5 Jul 1998 10:14:58 +0100 (BST)
From:      Scot Elliott <scot@planet-three.com>
To:        freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject:   Security Alert: Qualcomm POP Server
Message-ID:  <Pine.BSF.3.96.980705100321.19331A-100000@tweetie.online.barbour-index.co.uk>

next in thread | raw e-mail | index | archive | help
Morning all.

I caught someone last night with a root shell on our mail server.  I
traced it back to somewhere in the US, but unfortunately got locked out
and the log files removed before I had time to fix it ;-(

I shut the machine down remotely by mounting /usr over NFS and changing
/usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh?
;-)

Anyway - the point is that is looks like some kind of buffer overflow in
the POP daemon that ships with FreeBSD 2.2.6.  I noticed lots of ^P^P^P...
messages from popper in the log file before it was removed.  There was an
extra line in /etc/inetd.conf which ran a shell as root on some port I
wasn't using (talk I think).  So I'm guessing that the exploit allows
anyone to run any command as root.  Nice.  Whomever it was was having a
whale of a time with my C compiler for some reason... very dodgy.

If I can find out the source of this then I'd like to follow it up.  Does
anyone have experience of chasing this sort of thing from across the US
border?  Also, of course, everyone should check their popper version.

Cheers


Yours - Scot.


-----------------------------------------------------------------------------
Scot Elliott (scot@poptart.org, scot@nic.cx)	| Work: +44 (0)171 7046777
PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019
-----------------------------------------------------------------------------
Public key available by finger at:   finger scot@poptart.org
			    or at:   http://www.poptart.org/pgpkey.html



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980705100321.19331A-100000>