Date: 13 Oct 1998 02:51:26 +0200 From: dag-erli@ifi.uio.no (Dag-Erling C. =?iso-8859-1?Q?Sm=F8rgrav?= ) To: "Leonard C." <leonardc9@usa.net> Cc: security@FreeBSD.ORG Subject: Re: URGENT! Need help determining scope of attack... Message-ID: <xzp4st9jnch.fsf@hrotti.ifi.uio.no> In-Reply-To: "Leonard C."'s message of "Mon, 12 Oct 1998 16:09:59 -0700" References: <v04011702b24835d1f943@[10.0.0.2]>
next in thread | previous in thread | raw e-mail | index | archive | help
"Leonard C." <leonardc9@usa.net> writes: > When I checked my system's daily report today, I found this: > > > pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.84.53:1896 > > With the core dump and then the attempted connections to port 31337, I'm > suspecting that this is a script kiddy. What worries me is I'm unsure of > the scope of the attack. In the logs, right after the attack, there was an > su to root, but no new accounts have been added, nor any new uid 0 > accounts. There are also no new setuid programs either. Relax. Some idiot scanned your box for BO, which won't do him much good since you're running FreeBSD. Check your /var/log/messages to see how long after the core dump that was. I'm pretty sure the core dump was unrelated; check /var/log/messages and find out how much time passed between them. The same idiot tried to root you through qpopper, but it seems you have an up-to-date version and he didn't have a clue anyway. Seems he was working by hand, not running scripts: he made typos while talking to qpopper. Next time something like this happens, you should do a better job of masking your hostname and IP address before mailing your logs to a public forum. Black hats read mailing lists too. Oh, and if I were you I'd get in touch with UCB and send your logs to whoever is in charge over there. Teach some idiot freshman a lesson. finrod@niobe ~$ nslookup 169.229.84.53 Server: localhost.ewox.org Address: 127.0.0.1 Name: ehr-84-53.Reshall.Berkeley.EDU Address: 169.229.84.53 You have mail in /var/mail/finrod finrod@niobe ~$ nslookup 169.229.93.66 Server: localhost.ewox.org Address: 127.0.0.1 Name: pri-93-66.Reshall.Berkeley.EDU Address: 169.229.93.66 DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzp4st9jnch.fsf>