Date: Sun, 5 Jul 1998 10:49:55 -0400 (EDT) From: Matt Behrens <matt@megaweapon.zigg.com> To: Scot Elliott <scot@planet-three.com> Cc: freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Alert: Qualcomm POP Server Message-ID: <Pine.BSF.3.96.980705104849.15530A-100000@megaweapon.zigg.com> In-Reply-To: <Pine.BSF.3.96.980705100321.19331A-100000@tweetie.online.barbour-index.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
This is the bug mentioned on BUGTRAQ about two weeks ago. A friend of mine got hit as well by "well-meaning" attackers. Blah. In any case, he upgraded to 2.52 of popper and is now immune to at least the script kiddie attacks. On Sun, 5 Jul 1998, Scot Elliott wrote: > Morning all. > > I caught someone last night with a root shell on our mail server. I > traced it back to somewhere in the US, but unfortunately got locked out > and the log files removed before I had time to fix it ;-( > > I shut the machine down remotely by mounting /usr over NFS and changing > /usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh? > ;-) > > Anyway - the point is that is looks like some kind of buffer overflow in > the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P... > messages from popper in the log file before it was removed. There was an > extra line in /etc/inetd.conf which ran a shell as root on some port I > wasn't using (talk I think). So I'm guessing that the exploit allows > anyone to run any command as root. Nice. Whomever it was was having a > whale of a time with my C compiler for some reason... very dodgy. > > If I can find out the source of this then I'd like to follow it up. Does > anyone have experience of chasing this sort of thing from across the US > border? Also, of course, everyone should check their popper version. > > Cheers > > > Yours - Scot. > > > ----------------------------------------------------------------------------- > Scot Elliott (scot@poptart.org, scot@nic.cx) | Work: +44 (0)171 7046777 > PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019 > ----------------------------------------------------------------------------- > Public key available by finger at: finger scot@poptart.org > or at: http://www.poptart.org/pgpkey.html > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe security" in the body of the message > Matt Behrens <matt@zigg.com> | http://www.zigg.com/ Network Operations, The Iserv Company | Proudly running FreeBSD; sworn MIS, Michigan Kenworth, Inc. | enemy of Linux, a free hack OS Chanop Script Coordinator, WWFIN | and Windows, a non-free hack OS! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980705104849.15530A-100000>