Date: Fri, 2 Jan 1998 11:03:43 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: freebsd-security@freebsd.org Subject: fledge security check output (fwd) Message-ID: <Pine.BSF.3.96.980102105810.1391A-100000@fledge.watson.org>
next in thread | raw e-mail | index | archive | help
Several passwords have been sniffed on the network my machines are largely based on recently (stupid users who won't use kerberized telnet / ssh) -- apparently it is now popular for hackers to use screen when attacking your host -- it allows them to leave sessions around to be picked up later, have processes active, but not worry about appearing in utmp (this is not that gret a feat of course). anyhow, I'm guessing that they were trying at a buffer overflow attack or two -- here's some output from my dmesg: fledge kernel log messages: > de0: receive: ff:ff:ff:ff:ff:ff: bad crc > de0: receive: ff:ff:ff:ff:ff:ff: bad crc > de0: receive: ff:ff:ff:ff:ff:ff: bad crc > de0: receive: ff:ff:ff:ff:ff:ff: bad crc > pid 15701 (ftp), uid 1011: exited on signal 11 (core dumped) > pid 15736 (screen-3.7.2), uid 1011: exited on signal 6 > de0: receive: ff:ff:ff:ff:ff:ff: bad crc > de0: receive: ff:ff:ff:ff:ff:ff: bad crc > de0: receive: ff:ff:ff:ff:ff:ff: bad crc > de0: receive: ff:ff:ff:ff:ff:ff: bad crc > de0: receive: ff:ff:ff:ff:ff:ff: bad crc Not sure why ftp would core dump (or at least, why one would want it to -- it's not suid) -- there was an ftp to localhost as the user in question, so I'm guessing they were trying at an ftpd buffer overflow of some kind, and ftp overflowed instead. The screen death looks like it may have been a kill attempt, but is hard to say. I am running Stable as of about two weeks ago; should I be concerned by this arrangement? :) They then used the account on my host to attack other hosts elsewhere (I am in the process of contacting the people attacked -- one was a linux machine and, due to the fact that I loaded up Watch on them, :) I know they got a root shell and did the grep for passwords in /var/spool/mail or such). I guess it's just that time of year -- winter vacation for bored college students. The down side to the hacker using screen was that I reclaimed their screen session and went back throuh their command history even though they zapped their .history. Entertaining, huh. :) Robert Watson
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980102105810.1391A-100000>