Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 18 Jul 1998 20:02:43 +1000 (EST)
From:      Nicholas Charles Brawn <ncb05@uow.edu.au>
To:        "L. Brett Glass" <rogue@well.com>
Cc:        chat@FreeBSD.ORG
Subject:   Re: We are under attack
Message-ID:  <Pine.SOL.3.96.980718195721.15A-100000@wumpus.its.uow.edu.au>
In-Reply-To: <199807161958.MAA17474@well.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Jul 1998, L. Brett Glass wrote:

> Our FreeBSD server has been under attack for the past 24 hours by crackers
> seeking to exploit a buffer overflow bug in Qualcomm's QPopper POP3 server.
> I just got back from a two-week honeymoon and had not heard about the
> potential exploit when we got hit. I figured out what was going on from
> the system logs, which showed large amounts of bogus input to the daemon.
> 
> The attacks seem to be originating from a domain in New York City; the name
> of the system is "eastcoast.hitnet.org" (AKA "hitman.com").  From the sound
> of it, this is an organized, nationwide group. They obviously have experience
> with FreeBSD, as they compiled Trojan horse versions of at least two system
> utilities and replaced the existing ones with them. I realized we'd been
> "rooted" when I saw that these files, which were owned by root:wheel,
> had been replace.

It's good practice not to mention specific host names or IP addresses if
such an attack occurs. More often than not the site the attack appears 
to be coming from is in fact another hacked site which the attackers
are bouncing from. Some organisations have been hit with libel suits as a
result of such posts (or claimed "defamation"). 

Also, one does not have to be particularly "organised" or "experienced" in
order to install such a kit. I have seen many a "rootkit" that contained
instructions even the lamest script kiddie could follow.

> --Brett Glass (normally brett@lariat.org)

Nick

--
Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick 
Key fingerprint =  DE 30 33 D3 16 91 C8 8D  A7 F8 70 03 B7 77 1A 2A
"When in doubt, ask someone wiser than yourself..." -unknown



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.3.96.980718195721.15A-100000>