Date: Thu, 16 Jul 1998 13:28:29 -0700 (PDT) From: "Jan B. Koum " <jkb@best.com> To: "L. Brett Glass" <rogue@well.com> Cc: chat@FreeBSD.ORG Subject: Re: We are under attack Message-ID: <Pine.BSF.3.96.980716131302.24161A-100000@shell6.ba.best.com> In-Reply-To: <199807161958.MAA17474@well.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Jul 1998, L. Brett Glass wrote: >Our FreeBSD server has been under attack for the past 24 hours by crackers >seeking to exploit a buffer overflow bug in Qualcomm's QPopper POP3 server. >I just got back from a two-week honeymoon and had not heard about the >potential exploit when we got hit. I figured out what was going on from >the system logs, which showed large amounts of bogus input to the daemon. Yeah, BSD and Linux exploits were posted on bugtraq a few weeks ago. You do have a backup admin when you leave, right? :) Also, check out www.nfr.net -- it can help you during break in to see what took place. > >The attacks seem to be originating from a domain in New York City; the name >of the system is "eastcoast.hitnet.org" (AKA "hitman.com"). From the sound >of it, this is an organized, nationwide group. They obviously have experience >with FreeBSD, as they compiled Trojan horse versions of at least two system >utilities and replaced the existing ones with them. I realized we'd been >"rooted" when I saw that these files, which were owned by root:wheel, >had been replace. www.hitman.com seem to be an ISP. Most likely they got 0wned with same exploit, backdoored it and use it now to stage new attacks. > >We've contacted the FBI and hope for a speedy response. In the meantime, >don't wait; if you're using FreeBSD with the Qualcomm POP3 server, get >the new one NOW. It may also be a good idea to block traffic from the subnet >207.198.185.X, where the attacks on our system originated. Help from the >FreeBSD community in recovering from this root compromise would be MUCH >appreciated. Hehe.. guess what? FBI doesn't care unless you have at least 100K loss or theft. Qualcomm bug was mentioned here and on bugtraq. You have excuse - you were gone. Someone else, if they don't know about qualcomm, it is their fault. Now, about recovering .. suspect ALL your data. Get a new system. Install 2.2.6 on it. Then cvsup to -stable and make world to make sure you have all the patches. Then move over user data only from /usr/home (or other place where you have user data). Copy other files by hand and check them for backdoors (/etc/crontab, /etc/aliases, etc, etc). Install tripwire on your new system also. :) Do post your progress or if you have any further questions. -- Yan > >--Brett Glass (normally brett@lariat.org) > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-chat" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980716131302.24161A-100000>