From owner-freebsd-security Mon Oct 12 17:51:45 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA22003 for freebsd-security-outgoing; Mon, 12 Oct 1998 17:51:45 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from ifi.uio.no (ifi.uio.no [129.240.64.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA21997 for ; Mon, 12 Oct 1998 17:51:43 -0700 (PDT) (envelope-from dag-erli@ifi.uio.no) Received: from hrotti.ifi.uio.no (2602@hrotti.ifi.uio.no [129.240.64.15]) by ifi.uio.no (8.8.8/8.8.7/ifi0.2) with ESMTP id CAA26551; Tue, 13 Oct 1998 02:51:28 +0200 (MET DST) Received: (from dag-erli@localhost) by hrotti.ifi.uio.no ; Tue, 13 Oct 1998 02:51:27 +0200 (MET DST) Mime-Version: 1.0 To: "Leonard C." Cc: security@FreeBSD.ORG Subject: Re: URGENT! Need help determining scope of attack... References: Organization: University of Oslo, Department of Informatics X-url: http://www.stud.ifi.uio.no/~dag-erli/ X-other-addresses: 'finger dag-erli@ifi.uio.no' for a list X-disclaimer-1: The views expressed in this article are mine alone, and do X-disclaimer-2: not necessarily coincide with those of any organisation or X-disclaimer-3: company with which I am or have been affiliated. X-Stop-Spam: http://www.cauce.org/ From: dag-erli@ifi.uio.no (Dag-Erling C. =?iso-8859-1?Q?Sm=F8rgrav?= ) Date: 13 Oct 1998 02:51:26 +0200 In-Reply-To: "Leonard C."'s message of "Mon, 12 Oct 1998 16:09:59 -0700" Message-ID: Lines: 50 X-Mailer: Gnus v5.5/Emacs 19.34 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by hub.freebsd.org id RAA21999 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Leonard C." writes: > When I checked my system's daily report today, I found this: > > > pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.84.53:1896 > > With the core dump and then the attempted connections to port 31337, I'm > suspecting that this is a script kiddy. What worries me is I'm unsure of > the scope of the attack. In the logs, right after the attack, there was an > su to root, but no new accounts have been added, nor any new uid 0 > accounts. There are also no new setuid programs either. Relax. Some idiot scanned your box for BO, which won't do him much good since you're running FreeBSD. Check your /var/log/messages to see how long after the core dump that was. I'm pretty sure the core dump was unrelated; check /var/log/messages and find out how much time passed between them. The same idiot tried to root you through qpopper, but it seems you have an up-to-date version and he didn't have a clue anyway. Seems he was working by hand, not running scripts: he made typos while talking to qpopper. Next time something like this happens, you should do a better job of masking your hostname and IP address before mailing your logs to a public forum. Black hats read mailing lists too. Oh, and if I were you I'd get in touch with UCB and send your logs to whoever is in charge over there. Teach some idiot freshman a lesson. finrod@niobe ~$ nslookup 169.229.84.53 Server: localhost.ewox.org Address: 127.0.0.1 Name: ehr-84-53.Reshall.Berkeley.EDU Address: 169.229.84.53 You have mail in /var/mail/finrod finrod@niobe ~$ nslookup 169.229.93.66 Server: localhost.ewox.org Address: 127.0.0.1 Name: pri-93-66.Reshall.Berkeley.EDU Address: 169.229.93.66 DES -- Dag-Erling Smørgrav - dag-erli@ifi.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message