Date: Wed, 09 Oct 2002 13:36:27 -0400 From: Mike Tancsa <mike@sentex.net> To: freebsd-security@FreeBSD.ORG Subject: Re: Sendmail trojan...? Message-ID: <5.1.1.6.0.20021009132729.03c584a8@marble.sentex.ca> In-Reply-To: <20021009101237.A11608@zardoc.esmtp.org> References: <5.1.1.6.0.20021009125538.04748c18@marble.sentex.ca> <20021009142546.GA27227@darkstar.doublethink.cx> <3DA3AE76.1070006@deevil.homeunix.org> <20021009142546.GA27227@darkstar.doublethink.cx> <20021009080341.A26616@zardoc.esmtp.org> <5.1.1.6.0.20021009125538.04748c18@marble.sentex.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
I am no forensics expert, but my initial guess tells me some remote non
root exploit (was apache really compiled against the proper OpenSSL update?
Someone careless with ssh keys or passwords ?) and then if netcraft is
correct (uptime was 159 days) there are a couple of local root exploits
that could have been used.
---Mike
At 10:12 AM 09/10/2002 -0700, Claus Assmann wrote:
>On Wed, Oct 09, 2002, Mike Tancsa wrote:
> >
> > Hi,
> > Do you know the method they used to get in ? OpenSSL/https then
> > local root exploit ? Although netcraft says
> > Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6e on FreeBSD
>
>We don't know (yet).
>
>If you can help us trying to figure this out, please contact
>sendmail-security at sendmail.org
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.1.1.6.0.20021009132729.03c584a8>