Date: Sun, 30 Sep 2001 16:02:03 -0700 From: Kris Kennaway <kris@obsecurity.org> To: Jason <jason@jason-n3xt.org> Cc: freebsd-questions@FreeBSD.ORG, "questions@freebsd.org" <questions@FreeBSD.ORG> Subject: Re: I was rooted using telnet Message-ID: <20010930160203.A43149@xor.obsecurity.org> In-Reply-To: <Pine.BSF.4.21.0109302239160.10365-100000@jason-n3xt.org>; from jason@jason-n3xt.org on Sun, Sep 30, 2001 at 10:43:24PM %2B0000 References: <20010930101201.C98775@acadia.ne.mediaone.net> <Pine.BSF.4.21.0109302239160.10365-100000@jason-n3xt.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Sun, Sep 30, 2001 at 10:43:24PM +0000, Jason wrote: > Yes I did see it on my daily reports AFTER it happened. They only had > approx 4-5 hours on my box. Between the time I went to bed and woke > up. When I get up and get to my box the frist thing I do is check to see > who is on. I saw to unauthoried users (1 and 11). One of them was > running a BNC for irc and the other was just idle. There were 2 other > users created as well (tmp and asaf). I immediatly killall'ed them, > turned off telnet in inetd.conf and added the telnet port to my firewall. > > I have since examined the contents of their home dirs they created. The > did in fact use a buffer overflow exploit. A couple of people have > requested it.. once I have time (I have a lot going on at work) I'll send > the code and compiled script to the reputable requesters. Please send it to security-officer@FreeBSD.org. We aren't aware of any outstanding vulnerabilities in telnetd. Perhaps that wasn't actually the route they used to get into the system, or perhaps there's something else at work here. Kris [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE7t6RrWry0BWjoQKURAoYlAJ4z90JwofuSYSvU5tfn2a4ueXMRQgCcDRIW MUQE0lgza/+N1B7oxY8jf8g= =5Fni -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010930160203.A43149>