From owner-freebsd-stable Wed May 5 6:55:26 1999 Delivered-To: freebsd-stable@freebsd.org Received: from fed-ef1.frb.gov (fed.frb.gov [132.200.32.32]) by hub.freebsd.org (Postfix) with ESMTP id 6BFB11505E; Wed, 5 May 1999 06:55:16 -0700 (PDT) (envelope-from seth@freebie.dp.ny.frb.org) Received: by fed-ef1.frb.gov; id JAA29368; Wed, 5 May 1999 09:54:25 -0400 (EDT) Received: from m1pmdf.frb.gov(192.168.3.38) by fed.frb.gov via smap (V4.2) id xma028951; Wed, 5 May 99 09:53:51 -0400 Date: Wed, 05 May 1999 09:53:44 -0400 (EDT) From: Seth Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) In-reply-to: To: "Michael C. Vergallen" Cc: Tim Priebe , Greg Quinlan , freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Just out of curiosity, how were you attempting to remotely reboot your ftp server? SB On Wed, 5 May 1999, Michael C. Vergallen wrote: > I don't see how this can be a exploit if you have /etc/hosts.deny and > /etc/hosts.allow set up correctly and dont allow rcmd commands on your > system..I tried to remotely reboot my ftp server here and no it does not > work on that machine and I also tried on my gateway machine and no luck > there either. Now I will try my print server but I first have to upgrade > that box to 3.1 ...However on my network I see more and more poeple > scanning with a portscanner so I supose I better keep a look out for > strange items in my log files. > > Michael > --- > Michael C. Vergallen A.k.A. Mad Mike, > Sportstraat 28 http://www.double-barrel.be/mvergall/ > B 9000 Gent ftp://ftp.double-barrel.be/pub/linux/ > Belgium tel : 32-9-2227764 Fax : 32-9-2224976 > > On Wed, 5 May 1999, Tim Priebe wrote: > > > I saw such behavior Sunday when trying to implement a new firewall. The > > system would repeatedly panic with a trap 12. This would happen > > immediatelly after the login prompt appeared after the previous panic. > > The system would be stable, if I removed the first ethernet cable, plug > > the cable back in, and a short while later it would start over again. > > It was late, and we had to get the system working again, so we restored > > to the previous system. I have some information logged for packets at > > the time. I will check this and try to reproduce after I finish the > > course I am on this week. > > > > Tim. > > > > Greg Quinlan wrote: > > > > > > This sounds so.. so very familiar!! > > > > > > I have been the target of exploits before...... > > > > > > The exact same thing I have been experiencing........but not for about 5 > > > days now! > > > > > > I'm not convinced its a pure exploit.. (i.e. a program specifically written > > > for the purpose) > > > > > > Greg > > > > > > -----Original Message----- > > > From: Karl Denninger > > > To: chris@calldei.com ; Jordan K. Hubbard > > > > > > Cc: Mike Smith ; Seth ; > > > freebsd-stable@FreeBSD.ORG ; > > > security@FreeBSD.ORG ; jamie@exodus.net > > > > > > Date: 04 May 1999 05:20 > > > Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd) > > > > > > >On Mon, May 03, 1999 at 10:51:32PM -0500, Chris Costello wrote: > > > >> On Mon, May 3, 1999, Jordan K. Hubbard wrote: > > > >> > > I have to say that Jamie really let us down by not running a raw > > > >> > > tcpdump alongside the second targetted machine here. Any chance of > > > >> > > provoking these people into "demonstrating" the exploit on a machine, > > > >> > > while another connected to the same wire is running > > > >> > > > > >> > I'd say he or whomever first reported this to bugtraq let us down even > > > >> > more by releasing an "advisory" in such an unknown and unverifyable > > > >> > state. By doing so, all they've done is hand ammunition to the FUD > > > >> > corps and given us no reasonable chance to respond since the advisory > > > >> > > > >> I get the impression that that was the whole point of the > > > >> bugtraq post, to give us more grief. > > > > > > > >Ding! > > > > > > > >Give that man a cigar. > > > > > > > >Anyone who saw this done to one machine and didn't *immediately* configure > > > >machine #2 to trap and trace on the second instance deserves raspberries - > > > >at a minimum. > > > > > > > >Its one thing to have it done "anyonmously" (among other things you might > > > >not be there when it goes "boom" under those conditions!) Its another to > > > >have it done under controlled conditions and neither get an explanantion > > > >OR trap the condition that caused it yourself with a tcpdump trace. > > > > > > > >-- > > > >-- > > > >Karl Denninger (karl@denninger.net) Web: fathers.denninger.net > > > >I ain't even *authorized* to speak for anyone other than myself, so give > > > >up now on trying to associate my words with any particular organization. > > > > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-stable" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message