From owner-freebsd-questions  Fri Aug  7 14:12:44 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA24915
          for freebsd-questions-outgoing; Fri, 7 Aug 1998 14:12:44 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA24748
          for <freebsd-questions@FreeBSD.ORG>; Fri, 7 Aug 1998 14:11:53 -0700 (PDT)
          (envelope-from dwhite@resnet.uoregon.edu)
Received: from localhost (dwhite@localhost)
          by resnet.uoregon.edu (8.8.5/8.8.8) with SMTP id OAA16265;
          Fri, 7 Aug 1998 14:11:21 -0700 (PDT)
          (envelope-from dwhite@resnet.uoregon.edu)
Date: Fri, 7 Aug 1998 14:11:20 -0700 (PDT)
From: Doug White <dwhite@resnet.uoregon.edu>
To: Greg Quinlan <gquinlan@qmpgmc.ac.uk>
cc: freebsd-questions@FreeBSD.ORG
Subject: Re: MSCAN - named - Vulnerability
In-Reply-To: <01bdc224$ad8f41e0$380051c2@greg.qmpgmc.ac.uk>
Message-ID: <Pine.BSF.4.00.9808071408370.15104-100000@resnet.uoregon.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


On Fri, 7 Aug 1998, Greg Quinlan wrote:

> Further to the message regarding MSCAN here is a transcipt from the
> system log of someone overloading my name server and trying to hack my
> system. If you are wondering who it was:
> 
> Aug  6 02:00:03 dns1 named[155]: named.3.81.194.rev: WARNING SOA retry value is less then maintainance interval (300 < 900)
> Aug  6 02:00:03 dns1 named[155]: named.4.81.194.rev: WARNING SOA retry value is less then maintainance interval (300 < 900)
> Aug  6 02:00:03 dns1 named[155]: named.5.81.194.rev: WARNING SOA retry value is less then maintainance interval (300 < 900)
> Aug  6 02:00:03 dns1 named[155]: named.6.81.194.rev: WARNING SOA retry value is less then maintainance interval (300 < 900)
> Aug  6 02:00:03 dns1 named[155]: named.7.81.194.rev: WARNING SOA retry value is less then maintainance interval (300 < 900)
> Aug  6 02:00:03 dns1 named[155]: Ready to answer queries.

This is the normal startup sequence for named.  note the last item.  Odd
restart time though, that's usually when the system maintenance runs.

> Here is where they tried to hack something else? 
> Aug  6 02:53:54 dns1 popper[1292]: (v2.4b2) Unable to get canonical name of client, err = 9
> Aug  6 02:53:54 dns1 popper[1292]: @[164.138.210.56]: -ERR POP EOF received
> Aug  6 02:53:58 dns1 popper[1294]: (v2.4b2) Unable to get canonical name of client, err = 9
> Aug  6 02:53:58 dns1 popper[1294]: @[164.138.210.56]: -ERR POP EOF received
> Aug  6 02:55:06 dns1 popper[1302]: (v2.4b2) Unable to get canonical name of client, err = 9
> Aug  6 02:55:06 dns1 popper[1302]: @[164.138.210.56]: -ERR POP EOF received
> Aug  6 02:55:10 dns1 popper[1304]: (v2.4b2) Unable to get canonical name of client, err = 9
> Aug  6 02:55:10 dns1 popper[1304]: @[164.138.210.56]: -ERR POP EOF received
> Aug  6 02:59:36 dns1 popper[1310]: (v2.4b2) Unable to get canonical name of client, err = 9
> Aug  6 02:59:36 dns1 popper[1310]: @[164.138.210.56]: -ERR POP EOF received
> Aug  6 02:59:43 dns1 popper[1312]: (v2.4b2) Unable to get canonical name of client, err = 9
> Aug  6 02:59:43 dns1 popper[1312]: @[164.138.210.56]: -ERR POP EOF received

Okay, that could be something.  That address belongs to France Telecom.
Do you have anyone there who regularly checks mail on your system? The EOF
may point to someone trying exploit your popper (which IS VULNERABLE --
UPGRADE NOW!!)

Doug White                              | University of Oregon  
Internet:  dwhite@resnet.uoregon.edu    | Residence Networking Assistant
http://gladstone.uoregon.edu/~dwhite    | Computer Science Major



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message