Date: Sun, 30 Sep 2001 16:02:03 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Jason <jason@jason-n3xt.org> Cc: freebsd-questions@FreeBSD.ORG, "questions@freebsd.org" <questions@FreeBSD.ORG> Subject: Re: I was rooted using telnet Message-ID: <20010930160203.A43149@xor.obsecurity.org> In-Reply-To: <Pine.BSF.4.21.0109302239160.10365-100000@jason-n3xt.org>; from jason@jason-n3xt.org on Sun, Sep 30, 2001 at 10:43:24PM %2B0000 References: <20010930101201.C98775@acadia.ne.mediaone.net> <Pine.BSF.4.21.0109302239160.10365-100000@jason-n3xt.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--6c2NcOVqGQ03X4Wi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 30, 2001 at 10:43:24PM +0000, Jason wrote: > Yes I did see it on my daily reports AFTER it happened. They only had > approx 4-5 hours on my box. Between the time I went to bed and woke > up. When I get up and get to my box the frist thing I do is check to see > who is on. I saw to unauthoried users (1 and 11). One of them was > running a BNC for irc and the other was just idle. There were 2 other > users created as well (tmp and asaf). I immediatly killall'ed them, > turned off telnet in inetd.conf and added the telnet port to my firewall. >=20 > I have since examined the contents of their home dirs they created. The > did in fact use a buffer overflow exploit. A couple of people have > requested it.. once I have time (I have a lot going on at work) I'll send > the code and compiled script to the reputable requesters. Please send it to security-officer@FreeBSD.org. We aren't aware of any outstanding vulnerabilities in telnetd. Perhaps that wasn't actually the route they used to get into the system, or perhaps there's something else at work here. Kris --6c2NcOVqGQ03X4Wi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7t6RrWry0BWjoQKURAoYlAJ4z90JwofuSYSvU5tfn2a4ueXMRQgCcDRIW MUQE0lgza/+N1B7oxY8jf8g= =5Fni -----END PGP SIGNATURE----- --6c2NcOVqGQ03X4Wi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010930160203.A43149>