From owner-freebsd-security Sun Jul 5 07:49:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA12007 for freebsd-security-outgoing; Sun, 5 Jul 1998 07:49:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from megaweapon.zigg.com (ip121.grand-rapids.mi.pub-ip.psi.net [38.11.210.121]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA11950; Sun, 5 Jul 1998 07:49:18 -0700 (PDT) (envelope-from matt@megaweapon.zigg.com) Received: from megaweapon.zigg.com (megaweapon.zigg.com [192.168.1.1]) by megaweapon.zigg.com (8.8.8/8.8.8) with SMTP id KAA15549; Sun, 5 Jul 1998 10:49:55 -0400 (EDT) (envelope-from matt@megaweapon.zigg.com) Date: Sun, 5 Jul 1998 10:49:55 -0400 (EDT) From: Matt Behrens To: Scot Elliott cc: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Alert: Qualcomm POP Server In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is the bug mentioned on BUGTRAQ about two weeks ago. A friend of mine got hit as well by "well-meaning" attackers. Blah. In any case, he upgraded to 2.52 of popper and is now immune to at least the script kiddie attacks. On Sun, 5 Jul 1998, Scot Elliott wrote: > Morning all. > > I caught someone last night with a root shell on our mail server. I > traced it back to somewhere in the US, but unfortunately got locked out > and the log files removed before I had time to fix it ;-( > > I shut the machine down remotely by mounting /usr over NFS and changing > /usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh? > ;-) > > Anyway - the point is that is looks like some kind of buffer overflow in > the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P... > messages from popper in the log file before it was removed. There was an > extra line in /etc/inetd.conf which ran a shell as root on some port I > wasn't using (talk I think). So I'm guessing that the exploit allows > anyone to run any command as root. Nice. Whomever it was was having a > whale of a time with my C compiler for some reason... very dodgy. > > If I can find out the source of this then I'd like to follow it up. Does > anyone have experience of chasing this sort of thing from across the US > border? Also, of course, everyone should check their popper version. > > Cheers > > > Yours - Scot. > > > ----------------------------------------------------------------------------- > Scot Elliott (scot@poptart.org, scot@nic.cx) | Work: +44 (0)171 7046777 > PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019 > ----------------------------------------------------------------------------- > Public key available by finger at: finger scot@poptart.org > or at: http://www.poptart.org/pgpkey.html > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Matt Behrens | http://www.zigg.com/ Network Operations, The Iserv Company | Proudly running FreeBSD; sworn MIS, Michigan Kenworth, Inc. | enemy of Linux, a free hack OS Chanop Script Coordinator, WWFIN | and Windows, a non-free hack OS! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message