Date: Sun, 27 Jun 1999 16:58:48 -0400 From: Christopher Michaels <ChrisMic@clientlogic.com> To: 'Andrew McNaughton' <andrew@scoop.co.nz>, Keith Anderson <keith@apcs.com.au> Cc: questions@FreeBSD.ORG Subject: RE: Whats going on please Message-ID: <6C37EE640B78D2118D2F00A0C90FCB4401105A16@site2s1>
next in thread | raw e-mail | index | archive | help
I agree, you're best bet is to restore for a known secure backup or just wipe the system out and start over. At the very least, upgrade your popper to the latest version or use a different mailer all together. It may also be in your better interest to e-mail the admin of the offending system/isp. Although that's at your discretion if you want to follow up on the attack. -Chris > -----Original Message----- > From: Andrew McNaughton [SMTP:andrew@scoop.co.nz] > Sent: Sunday, June 27, 1999 6:53 AM > To: Keith Anderson > Cc: questions@FreeBSD.ORG; security@FreeBSD.ORG > Subject: Whats going on please > > > popper is a well known problem. Search back through the archives of > freebsd-security for details. Once one problem was found in popper, a > series > of other problems came to light. I believe the problems that were > identified > have been fixed, but I don't know how comprehensively the source has been > analysed. > > After getting root access (or presuming they had) through popper, they > tried > to log in through ssh and telnet. You have log entries from failed > attempts, > but I don't know your system well enough to comment on whether there were > successful logins also. My guess is that they failed to get in the first > time, but may have succeeded in the second attack on popper. > Alternatively > they may have just gone away. > > It's probable that if your version of popper is vulnerable then someone > has > had root access to your machine, and potentially any change at all could > have > been made to your setup. To be really sure of your security you should > rebuild from backup, or failing that from a clean system install. > > Looks like they were interested in the kmem user. I don't know if that's > something to do with what is possible through the popper exploit, but it's > > interesting that they didn't just go for root. Is there some program > which > runs as kmem but refuses to run as root that they might have been > interested > in? > I think the kmem thing is co-incidental. He probably has the identd setup in his inet.conf but doesn't have the kmem uid/group. This is esp true if Keith upgraded his system and used his old password. > Andrew McNaughton > > > > > > Hi All > > > > I just noticed someone hacking. > > > > what has happend ? > > > > any help would be great. > > > > I have whats like a new kernel> > > > > I am the keith@work.xxx.com.au > > > > I have turned off all telnet/ssh/smtp/pop for now > > > > <snip> > > root@137~#uname -a > > FreeBSD 137.132.85.96 3.1-RELEASE FreeBSD 3.1-RELEASE #3: Wed Mar 31 > 14:59:17 > > EST 1999 keith@work.xxx.com.au:/usr/src/sys/compile/WORK i386 > > </snip> > > > > what is the '137.132.85.96' or who > > > > it should be work.xxx.com.au > > > > I have in /var/log/messages > > > > <snip> > > Jun 27 19:13:41 work sshd[3005]: fatal: Local: Sorry, you are not > allowed to > > connect. > > Jun 27 19:18:24 work telnetd[3014]: refused connect from > compl-r4.iscs.nus.sg > > Jun 27 19:18:26 work telnetd[3015]: refused connect from > compl-r4.iscs.nus.sg > > </snip> > > > > and > > > > <snip> > > Jun 27 17:06:59 work popper[1550]: @compl-r4.iscs.nus.sg: -ERR POP EOF > received > > Jun 27 17:07:00 work popper[1552]: @compl-r4.iscs.nus.sg: -ERR POP EOF > received > > Jun 27 17:07:03 work popper[1553]: @compl-r4.iscs.nus.sg: -ERR POP EOF > received > > Jun 27 07:09:04 work dnsserver: gethostby*.gethostanswer: asked for > > "exnjld4avip.doubleclick.net", got "exnjld3avip. > > doubleclick.net" > > Jun 27 17:10:05 work popper[1579]: (v2.53) Unable to get canonical name > of > > client, err = 0 > > Jun 27 17:12:40 work inetd[145]: ident/tcp: No such user 'kmem', service > ignored > > Jun 27 17:17:06 work popper[1637]: (v2.53) Unable to get canonical name > of > > client, err = 0 > > Jun 27 17:18:47 work popper[1640]: @compl-r4.iscs.nus.sg: -ERR POP EOF > received > > Jun 27 17:18:48 work popper[1642]: @compl-r4.iscs.nus.sg: -ERR POP EOF > received > > Jun 27 17:18:48 work popper[1643]: @compl-r4.iscs.nus.sg: -ERR POP EOF > received > > </snip> > > > > Hope you can help > > > > Thanking you > > > > Keith A > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?6C37EE640B78D2118D2F00A0C90FCB4401105A16>