From owner-freebsd-security Wed Oct 9 10:35:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C05B37B401 for ; Wed, 9 Oct 2002 10:35:24 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4319E43E4A for ; Wed, 9 Oct 2002 10:35:23 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id g99HZK8g039278 for ; Wed, 9 Oct 2002 13:35:20 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021009132729.03c584a8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Wed, 09 Oct 2002 13:36:27 -0400 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: Re: Sendmail trojan...? In-Reply-To: <20021009101237.A11608@zardoc.esmtp.org> References: <5.1.1.6.0.20021009125538.04748c18@marble.sentex.ca> <20021009142546.GA27227@darkstar.doublethink.cx> <3DA3AE76.1070006@deevil.homeunix.org> <20021009142546.GA27227@darkstar.doublethink.cx> <20021009080341.A26616@zardoc.esmtp.org> <5.1.1.6.0.20021009125538.04748c18@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) X-Spam-Status: No, hits=-8.7 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_01_02, TO_BE_REMOVED_REPLY version=2.41 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I am no forensics expert, but my initial guess tells me some remote non root exploit (was apache really compiled against the proper OpenSSL update? Someone careless with ssh keys or passwords ?) and then if netcraft is correct (uptime was 159 days) there are a couple of local root exploits that could have been used. ---Mike At 10:12 AM 09/10/2002 -0700, Claus Assmann wrote: >On Wed, Oct 09, 2002, Mike Tancsa wrote: > > > > Hi, > > Do you know the method they used to get in ? OpenSSL/https then > > local root exploit ? Although netcraft says > > Apache/1.3.26 (Unix) mod_ssl/2.8.10 OpenSSL/0.9.6e on FreeBSD > >We don't know (yet). > >If you can help us trying to figure this out, please contact >sendmail-security at sendmail.org > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message