Date: Sun, 27 Jun 1999 21:46:57 +1000 (EST) From: Keith Anderson <keith@apcs.com.au> To: Andrew McNaughton <andrew@scoop.co.nz> Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Subject: Re: Whats going on please Message-ID: <XFMail.990627214657.keith@apcs.com.au> In-Reply-To: <199906271053.WAA01352@aniwa.sky>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi Andrew The version of popper is (v2.53) and the box is FreeBSD 3.1-REL. The person is still trying to connect now. I think I have closed all doors ATM. I have put tcp_wrappers on pop so only local ip's can access mail. I will ftp in new source and remake a kernel. should I maybe cvs to 3.2-REL ? and make world The problem is, it's a remote site. If the hacker was in then I beleave he would stop trying all ports for access. Thanks Keith On 27-Jun-99 Andrew McNaughton wrote: > > popper is a well known problem. Search back through the archives of > freebsd-security for details. Once one problem was found in popper, a series > of other problems came to light. I believe the problems that were identified > have been fixed, but I don't know how comprehensively the source has been > analysed. > > After getting root access (or presuming they had) through popper, they tried > to log in through ssh and telnet. You have log entries from failed attempts, > but I don't know your system well enough to comment on whether there were > successful logins also. My guess is that they failed to get in the first > time, but may have succeeded in the second attack on popper. Alternatively > they may have just gone away. > > It's probable that if your version of popper is vulnerable then someone has > had root access to your machine, and potentially any change at all could have > been made to your setup. To be really sure of your security you should > rebuild from backup, or failing that from a clean system install. > > Looks like they were interested in the kmem user. I don't know if that's > something to do with what is possible through the popper exploit, but it's > interesting that they didn't just go for root. Is there some program which > runs as kmem but refuses to run as root that they might have been interested > in? > > Andrew McNaughton > > > > >> Hi All <SNIP> "The box said 'Requires Windows 95, NT, or better,' so I installed FreeBSD." ** The thing I like most about Windows 98 is... ** You can download FreeBSD with it! ---------------------------------- E-Mail: Keith Anderson <keith@apcs.com.au> Australia Power Control Systems Pty. Limited. Date: 27-Jun-99 Time: 21:38:32 Satelite Service 64K to 2Meg This message was sent by XFMail ---------------------------------- What's the similarity between an air conditioner and a computer? They both stop working when you open windows. ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990627214657.keith>