From owner-freebsd-security  Mon May  6 22:24:45 2002
Delivered-To: freebsd-security@freebsd.org
Received: from rwcrmhc54.attbi.com (rwcrmhc54.attbi.com [216.148.227.87])
	by hub.freebsd.org (Postfix) with ESMTP id 4515137B408
	for <security@FreeBSD.ORG>; Mon,  6 May 2002 22:24:39 -0700 (PDT)
Received: from blossom.cjclark.org ([12.234.91.48]) by rwcrmhc54.attbi.com
          (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP
          id <20020507052438.VLIH2627.rwcrmhc54.attbi.com@blossom.cjclark.org>;
          Tue, 7 May 2002 05:24:38 +0000
Received: (from cjc@localhost)
	by blossom.cjclark.org (8.11.6/8.11.6) id g475Ob089649;
	Mon, 6 May 2002 22:24:37 -0700 (PDT)
	(envelope-from cjc)
Date: Mon, 6 May 2002 22:24:37 -0700
From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: Sam Drinkard <sam@wa4phy.net>
Cc: security@FreeBSD.ORG
Subject: Re: Woot project
Message-ID: <20020506222437.F89339@blossom.cjclark.org>
References: <3CD72712.37CB5750@vortex.wa4phy.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3CD72712.37CB5750@vortex.wa4phy.net>; from sam@wa4phy.net on Mon, May 06, 2002 at 09:00:02PM -0400
X-URL: http://people.freebsd.org/~cjc/
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Mon, May 06, 2002 at 09:00:02PM -0400, Sam Drinkard wrote:
> Hello list,
> 
>     I just discovered I have been hacked on my main webpage from
> apparently the Woot project kiddies.  I assume, right after the attack,
> I received an email from some outfit called alldas.org.  My problem is
> this.  According to what I have read about the woot project, access is
> gained by portscanning for the presence of SSH-1.  I don't have SSH-1 or
> 2 active at the moment, so I'm wondering how access was gained.  Have
> searched all the log files for unusual activity, and nothing is apparent
> so far.  The message left at the bottom of my main page was:
> 
> FreeBSD vortex.wa4phy.net 4.5-STABLE sexcii... - [sYn] of woot-project
> 
>     Aside from the SSH-1 vulunerabilities, is there any other known
> entry points associated with this cracker group?

CGI bugs.
-- 
Crist J. Clark                     |     cjclark@alum.mit.edu
                                   |     cjclark@jhu.edu
http://people.freebsd.org/~cjc/    |     cjc@freebsd.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message