From owner-freebsd-chat Sat Jul 18 03:03:16 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA07251 for freebsd-chat-outgoing; Sat, 18 Jul 1998 03:03:16 -0700 (PDT) (envelope-from owner-freebsd-chat@FreeBSD.ORG) Received: from wraith.cs.uow.edu.au (root@wraith.cs.uow.edu.au [130.130.64.1]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA07246 for ; Sat, 18 Jul 1998 03:03:09 -0700 (PDT) (envelope-from ncb05@uow.edu.au) Received: from wumpus.its.uow.edu.au (wumpus.its.uow.edu.au [130.130.68.12]) by wraith.cs.uow.edu.au (8.9.1/8.9.1) with SMTP id UAA23514; Sat, 18 Jul 1998 20:02:43 +1000 (EST) Date: Sat, 18 Jul 1998 20:02:43 +1000 (EST) From: Nicholas Charles Brawn X-Sender: ncb05@wumpus.its.uow.edu.au To: "L. Brett Glass" cc: chat@FreeBSD.ORG Subject: Re: We are under attack In-Reply-To: <199807161958.MAA17474@well.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 16 Jul 1998, L. Brett Glass wrote: > Our FreeBSD server has been under attack for the past 24 hours by crackers > seeking to exploit a buffer overflow bug in Qualcomm's QPopper POP3 server. > I just got back from a two-week honeymoon and had not heard about the > potential exploit when we got hit. I figured out what was going on from > the system logs, which showed large amounts of bogus input to the daemon. > > The attacks seem to be originating from a domain in New York City; the name > of the system is "eastcoast.hitnet.org" (AKA "hitman.com"). From the sound > of it, this is an organized, nationwide group. They obviously have experience > with FreeBSD, as they compiled Trojan horse versions of at least two system > utilities and replaced the existing ones with them. I realized we'd been > "rooted" when I saw that these files, which were owned by root:wheel, > had been replace. It's good practice not to mention specific host names or IP addresses if such an attack occurs. More often than not the site the attack appears to be coming from is in fact another hacked site which the attackers are bouncing from. Some organisations have been hit with libel suits as a result of such posts (or claimed "defamation"). Also, one does not have to be particularly "organised" or "experienced" in order to install such a kit. I have seen many a "rootkit" that contained instructions even the lamest script kiddie could follow. > --Brett Glass (normally brett@lariat.org) Nick -- Email: ncb05@uow.edu.au - http://rabble.uow.edu.au/~nick Key fingerprint = DE 30 33 D3 16 91 C8 8D A7 F8 70 03 B7 77 1A 2A "When in doubt, ask someone wiser than yourself..." -unknown To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message