Date: Sat, 18 Jul 1998 20:02:43 +1000 (EST) From: Nicholas Charles Brawn <ncb05@uow.edu.au> To: "L. Brett Glass" <rogue@well.com> Cc: chat@FreeBSD.ORG Subject: Re: We are under attack Message-ID: <Pine.SOL.3.96.980718195721.15A-100000@wumpus.its.uow.edu.au> In-Reply-To: <199807161958.MAA17474@well.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Jul 1998, L. Brett Glass wrote: > Our FreeBSD server has been under attack for the past 24 hours by crackers > seeking to exploit a buffer overflow bug in Qualcomm's QPopper POP3 server. > I just got back from a two-week honeymoon and had not heard about the > potential exploit when we got hit. I figured out what was going on from > the system logs, which showed large amounts of bogus input to the daemon. > > The attacks seem to be originating from a domain in New York City; the name > of the system is "eastcoast.hitnet.org" (AKA "hitman.com"). From the sound > of it, this is an organized, nationwide group. They obviously have experience > with FreeBSD, as they compiled Trojan horse versions of at least two system > utilities and replaced the existing ones with them. I realized we'd been > "rooted" when I saw that these files, which were owned by root:wheel, > had been replace. It's good practice not to mention specific host names or IP addresses if such an attack occurs. More often than not the site the attack appears to be coming from is in fact another hacked site which the attackers are bouncing from. Some organisations have been hit with libel suits as a result of such posts (or claimed "defamation"). Also, one does not have to be particularly "organised" or "experienced" in order to install such a kit. I have seen many a "rootkit" that contained instructions even the lamest script kiddie could follow. > --Brett Glass (normally brett@lariat.org) Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SOL.3.96.980718195721.15A-100000>