From owner-freebsd-chat Thu Jul 16 14:07:52 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA14401 for freebsd-chat-outgoing; Thu, 16 Jul 1998 14:07:52 -0700 (PDT) (envelope-from owner-freebsd-chat@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA14375 for ; Thu, 16 Jul 1998 14:07:47 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id PAA07832; Thu, 16 Jul 1998 15:06:36 -0600 (MDT) Message-Id: <199807162106.PAA07832@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Thu, 16 Jul 1998 15:03:14 -0600 To: "Jan B. Koum " , "L. Brett Glass" From: Brett Glass Subject: Re: We are under attack Cc: chat@FreeBSD.ORG In-Reply-To: References: <199807161958.MAA17474@well.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 01:28 PM 7/16/98 -0700, Jan B. Koum wrote: > Yeah, BSD and Linux exploits were posted on bugtraq a few weeks >ago. You do have a backup admin when you leave, right? :) Yes, but he's primarily an NT whiz. ;-S > www.hitman.com seem to be an ISP. Most likely they got 0wned with >same exploit, backdoored it and use it now to stage new attacks. I don't think so. Their InterNIC registration seems to use a fraudulently obtained e-mail address. I think they're hiding behind something. And, again, "eastcoast" implies a "westcoast", so this could be a nationwide thing. > Hehe.. guess what? FBI doesn't care unless you have at least 100K >loss or theft. This is a big public e-mail server. There's a LOT of valuable business data on it. (Or, I should say, there WAS. One thing about buffer overflow exploits is that they usually corrupt RAM. They sideswiped the disk cache and we experienced some disk corruption as a result: files with nonexistent owners, etc. We have good backups, but unfortunately the attack did go into the business day. >Qualcomm bug was mentioned here and on bugtraq. You have >excuse - you were gone. Someone else, if they don't know about qualcomm, >it is their fault. I first found info on it -- after I deduced that this was what was going on -- on CERT's Web site. They published the report on the 14th. I might have seen it earlier, but I was out of touch in the Scottish Highlands. > Now, about recovering .. suspect ALL your data. Get a new system. >Install 2.2.6 on it. Then cvsup to -stable and make world to make sure you >have all the patches. How long 'till 2.2.7? >Then move over user data only from /usr/home (or >other place where you have user data). Copy other files by hand and check >them for backdoors (/etc/crontab, /etc/aliases, etc, etc). Install >tripwire on your new system also. :) Only one problem: PASSWORDS may have been compromised, too. The crackers got root. Fortunately, we have a very small number of people with root privilege, and we can take care of all of them. But we still care about the users; we don't want their data compromised. I think the big mistake was in using ANYTHING from Qualcomm. Eudora Pro is incredibly buggy, bloated, and slow, and their tech support is the worst on Earth.... I should have known. Anyone know of a better POP server? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message