From owner-freebsd-security Mon May 6 18: 0:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from vortex.wa4phy.net (pcp01578012pcs.martnz01.ga.comcast.net [68.47.4.97]) by hub.freebsd.org (Postfix) with ESMTP id 5956337B413 for ; Mon, 6 May 2002 18:00:06 -0700 (PDT) Received: from vortex.wa4phy.net (localhost.wa4phy.net [127.0.0.1]) by vortex.wa4phy.net (8.11.6/8.11.6) with ESMTP id g47102131809 for ; Mon, 6 May 2002 21:00:02 -0400 (EDT) (envelope-from sam@wa4phy.net) Message-ID: <3CD72712.37CB5750@vortex.wa4phy.net> Date: Mon, 06 May 2002 21:00:02 -0400 From: Sam Drinkard Organization: You Gotta Be Kiddin! X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.5-STABLE i386) X-Accept-Language: en, ja MIME-Version: 1.0 To: security@freebsd.org Subject: Woot project Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello list, I just discovered I have been hacked on my main webpage from apparently the Woot project kiddies. I assume, right after the attack, I received an email from some outfit called alldas.org. My problem is this. According to what I have read about the woot project, access is gained by portscanning for the presence of SSH-1. I don't have SSH-1 or 2 active at the moment, so I'm wondering how access was gained. Have searched all the log files for unusual activity, and nothing is apparent so far. The message left at the bottom of my main page was: FreeBSD vortex.wa4phy.net 4.5-STABLE sexcii... - [sYn] of woot-project Aside from the SSH-1 vulunerabilities, is there any other known entry points associated with this cracker group? Thanks.. Sam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message