From owner-freebsd-security Sun Jun 27 4:47:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from well.apcs.com.au (unknown [203.41.196.92]) by hub.freebsd.org (Postfix) with ESMTP id B4F6514C08; Sun, 27 Jun 1999 04:47:02 -0700 (PDT) (envelope-from keith@well.apcs.com.au) Received: (from keith@localhost) by well.apcs.com.au (8.9.3/8.9.2) id VAA01164; Sun, 27 Jun 1999 21:46:57 +1000 (EST) (envelope-from keith) Message-ID: X-Mailer: XFMail 1.3 [p0] on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: <199906271053.WAA01352@aniwa.sky> Date: Sun, 27 Jun 1999 21:46:57 +1000 (EST) From: Keith Anderson To: Andrew McNaughton Subject: Re: Whats going on please Cc: security@FreeBSD.ORG, questions@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Andrew The version of popper is (v2.53) and the box is FreeBSD 3.1-REL. The person is still trying to connect now. I think I have closed all doors ATM. I have put tcp_wrappers on pop so only local ip's can access mail. I will ftp in new source and remake a kernel. should I maybe cvs to 3.2-REL ? and make world The problem is, it's a remote site. If the hacker was in then I beleave he would stop trying all ports for access. Thanks Keith On 27-Jun-99 Andrew McNaughton wrote: > > popper is a well known problem. Search back through the archives of > freebsd-security for details. Once one problem was found in popper, a series > of other problems came to light. I believe the problems that were identified > have been fixed, but I don't know how comprehensively the source has been > analysed. > > After getting root access (or presuming they had) through popper, they tried > to log in through ssh and telnet. You have log entries from failed attempts, > but I don't know your system well enough to comment on whether there were > successful logins also. My guess is that they failed to get in the first > time, but may have succeeded in the second attack on popper. Alternatively > they may have just gone away. > > It's probable that if your version of popper is vulnerable then someone has > had root access to your machine, and potentially any change at all could have > been made to your setup. To be really sure of your security you should > rebuild from backup, or failing that from a clean system install. > > Looks like they were interested in the kmem user. I don't know if that's > something to do with what is possible through the popper exploit, but it's > interesting that they didn't just go for root. Is there some program which > runs as kmem but refuses to run as root that they might have been interested > in? > > Andrew McNaughton > > > > >> Hi All "The box said 'Requires Windows 95, NT, or better,' so I installed FreeBSD." ** The thing I like most about Windows 98 is... ** You can download FreeBSD with it! ---------------------------------- E-Mail: Keith Anderson Australia Power Control Systems Pty. Limited. Date: 27-Jun-99 Time: 21:38:32 Satelite Service 64K to 2Meg This message was sent by XFMail ---------------------------------- What's the similarity between an air conditioner and a computer? They both stop working when you open windows. ---------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message