From owner-freebsd-security Mon Oct 12 18:48:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id SAA01161 for freebsd-security-outgoing; Mon, 12 Oct 1998 18:48:27 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.kt.rim.or.jp (mail.kt.rim.or.jp [202.247.130.53]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA01135 for ; Mon, 12 Oct 1998 18:48:20 -0700 (PDT) (envelope-from daniel@kt.rim.or.jp) Received: from periscope (ppp150.kt.rim.or.jp [202.247.139.150]) by mail.kt.rim.or.jp (8.8.5/3.6W-RIMNET-98-06-09) with SMTP id KAA01686; Tue, 13 Oct 1998 10:47:56 +0900 (JST) Message-ID: <000e01bdf64b$106ad9a0$4200a8c0@periscope.digital-canvas.com> From: "Daniel Minoru Saito" To: "Leonard C." Cc: Subject: Re: URGENT! Need help determining scope of attack... Date: Tue, 13 Oct 1998 10:44:46 +0900 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 4.72.3110.5 X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Cute UC Berkeley. :) I wouldn't worry too much as well. Although a good practice that might be of help is to talk to the system administrator at the resident halls. As for your Qpopper attack. There are bruteforce ways to do it.. in the "Generic Script Kiddie Rootkit" but by looking at your logs and mentioned before in the emails - he made typos. Granted he was probably reading instructions off of rootshell.com. As for your BO attack I am sure your "script kiddie" was searching the segment rather than your specific IP. So if he hit yours unsuccessfully -- but then how many did he his "successfully". You would be doing others a favor by turning the little punk in.. Daniel -----Original Message----- From: Dag-Erling C. Smørgrav Subject: Re: URGENT! Need help determining scope of attack... "Leonard C." writes: > When I checked my system's daily report today, I found this: > > > pid 7081 (telnet), uid 0: exited on signal 3 (core dumped) > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.93.66:1335 > > Connection attempt to UDP 169.229.87.xx:31337 from 169.229.84.53:1896 > > With the core dump and then the attempted connections to port 31337, I'm > suspecting that this is a script kiddy. What worries me is I'm unsure of > the scope of the attack. In the logs, right after the attack, there was an > su to root, but no new accounts have been added, nor any new uid 0 > accounts. There are also no new setuid programs either. >Relax. Some idiot scanned your box for BO, which won't do him much >good since you're running FreeBSD. Check your /var/log/messages to see >how long after the core dump that was. I'm pretty sure the core dump >was unrelated; check /var/log/messages and find out how much time >passed between them. The same idiot tried to root you through qpopper, >but it seems you have an up-to-date version and he didn't have a clue >anyway. Seems he was working by hand, not running scripts: he made >typos while talking to qpopper. > >Next time something like this happens, you should do a better job of >masking your hostname and IP address before mailing your logs to a >public forum. Black hats read mailing lists too. > >Oh, and if I were you I'd get in touch with UCB and send your logs to >whoever is in charge over there. Teach some idiot freshman a lesson. > >finrod@niobe ~$ nslookup 169.229.84.53 >Server: localhost.ewox.org >Address: 127.0.0.1 > >Name: ehr-84-53.Reshall.Berkeley.EDU >Address: 169.229.84.53 > >You have mail in /var/mail/finrod >finrod@niobe ~$ nslookup 169.229.93.66 >Server: localhost.ewox.org >Address: 127.0.0.1 > >Name: pri-93-66.Reshall.Berkeley.EDU >Address: 169.229.93.66 > > >DES >-- >Dag-Erling Smørgrav - dag-erli@ifi.uio.no > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message