From owner-freebsd-security  Mon Oct 12 17:31:59 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA18985
          for freebsd-security-outgoing; Mon, 12 Oct 1998 17:31:59 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (lariat.lariat.org [206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA18980
          for <security@FreeBSD.ORG>; Mon, 12 Oct 1998 17:31:57 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.6) id SAA14170;
	Mon, 12 Oct 1998 18:31:41 -0600 (MDT)
Message-Id: <4.1.19981012181921.066fe700@mail.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1 
Date: Mon, 12 Oct 1998 18:29:21 -0600
To: "Leonard C." <leonardc9@usa.net>, security@FreeBSD.ORG
From: Brett Glass <brett@lariat.org>
Subject: Re: URGENT! Need help determining scope of attack...
In-Reply-To: <v04011702b24835d1f943@[10.0.0.2]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

This guy could habe been trying LOTS of exploits, but the key ones
are the Qualcomm QPopper hole and Back Orifice (he's searching for a server).
He may have su'ed successfully to root. (What version of QPopper are
you running? Telnet to Port 110 on the machine to find out if it's
one that can be compromised.)

The IP addresses are fairly likely to be accurate because they are in the
same general range. (Those who forge IP addresses usually scatter them all
over the map.) Looks like you're being hit by a kid in a dorm at
UC Berkeley. Perhaps you should contact the admins there.

--Brett Glass


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message