From owner-freebsd-security Tue Jul 28 14:12:46 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA16361 for freebsd-security-outgoing; Tue, 28 Jul 1998 14:12:46 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from hotmail.com (f1.hotmail.com [207.82.250.12]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA16295 for ; Tue, 28 Jul 1998 14:12:28 -0700 (PDT) (envelope-from showboat@hotmail.com) Received: (qmail 14100 invoked by uid 0); 28 Jul 1998 21:11:25 -0000 Message-ID: <19980728211125.14099.qmail@hotmail.com> Received: from 38.28.41.117 by www.hotmail.com with HTTP; Tue, 28 Jul 1998 14:11:24 PDT X-Originating-IP: [38.28.41.117] From: "Show Boat" To: security@FreeBSD.ORG Subject: Post qpopper trauma Content-Type: text/plain Date: Tue, 28 Jul 1998 14:11:24 PDT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've just joined the security mailling list. I've read the charters, and I think I'm in line here. If I offend, please be gentle in your flaming. On Just 17th my 2.2.5 system was violated via the qpopper hack. Fortunately I came online during the hack, and was able to salvage the situation somewhat. I found the info on the qpopper exploit, and corrected my version. The intruders were busy when they were on (with root access.) They were attempting to recompile telnetd with their own little backdoor in it. I replaced all my telnetd stuff from a recent system backup. (I ran diff on the sources and was able to tell the code they added.) I recompiled the original, and thought all was well. I believed I had eliminated all trace of the intrusion, and eliminated any way they might have back in. However, it seems as though I was wrong. Last Friday, someone gained access to our system, and installed an eggdrop bot in our system. (hidden as well as could be.) This didn't come to my attention until this morning. The PID doesn't show up under 'ps aux'. If you grep specifically for that PID, it shows up as telnetd. They have a file called faqproxy, and a link telnetd@ -> faqproxy. The eggdrop does show under top though. same PID as that telnetd. I can't figure out how they gained access to the system this time. I am losing hair rapidly over this. They still have a some kind of shunt that gives them root access. (or so it seems.) I've scoured my messages. They ONLY thing I cannot account for is this: Jul 24 19:05:38 nefertiti popper[28212]: Client at "207.155.142.251" resolves to an unknown host name "ts010d47.pri-nj.concentric.net" That it is popper scares me. The time frame is appropriate, as the eggdrop was launched in the 7pm hour of Jul 24. I've looked through the 'last' log extensively. Again, nothing I cannot account for. Anyone with potential root access (sudo) logged from an IP I can account for. So I am against a wall. I cannot tell how access was gained, and I cannot guarantee that there aren't other nasties going on on the system. Thus, I am looking for some useful advice, or perhaps a security consult. If this is inappropriate for this list I apologize. I would be happy to continue this discussion through private e-mail. Thanks, Jeremy showboat@hotmail.com ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message