Date: Sun, 5 Jul 1998 10:14:58 +0100 (BST) From: Scot Elliott <scot@planet-three.com> To: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Security Alert: Qualcomm POP Server Message-ID: <Pine.BSF.3.96.980705100321.19331A-100000@tweetie.online.barbour-index.co.uk>
next in thread | raw e-mail | index | archive | help
Morning all. I caught someone last night with a root shell on our mail server. I traced it back to somewhere in the US, but unfortunately got locked out and the log files removed before I had time to fix it ;-( I shut the machine down remotely by mounting /usr over NFS and changing /usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh? ;-) Anyway - the point is that is looks like some kind of buffer overflow in the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P... messages from popper in the log file before it was removed. There was an extra line in /etc/inetd.conf which ran a shell as root on some port I wasn't using (talk I think). So I'm guessing that the exploit allows anyone to run any command as root. Nice. Whomever it was was having a whale of a time with my C compiler for some reason... very dodgy. If I can find out the source of this then I'd like to follow it up. Does anyone have experience of chasing this sort of thing from across the US border? Also, of course, everyone should check their popper version. Cheers Yours - Scot. ----------------------------------------------------------------------------- Scot Elliott (scot@poptart.org, scot@nic.cx) | Work: +44 (0)171 7046777 PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019 ----------------------------------------------------------------------------- Public key available by finger at: finger scot@poptart.org or at: http://www.poptart.org/pgpkey.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980705100321.19331A-100000>