Skip site navigation (1)Skip section navigation (2)
Date:      28 Jun 1999 13:44:52 +0200
From:      Dag-Erling Smorgrav <des@flood.ping.uio.no>
To:        Keith Anderson <keith@apcs.com.au>
Cc:        questions@FreeBSD.ORG, security@FreeBSD.ORG
Subject:   Re: Whats going on please
Message-ID:  <xzp6748im6j.fsf@flood.ping.uio.no>
In-Reply-To: Keith Anderson's message of "Sun, 27 Jun 1999 19:29:12 %2B1000 (EST)"
References:  <XFMail.990627192912.keith@apcs.com.au>

next in thread | previous in thread | raw e-mail | index | archive | help
Keith Anderson <keith@apcs.com.au> writes:
> <snip>
> root@137~#uname -a
> FreeBSD 137.132.85.96 3.1-RELEASE FreeBSD 3.1-RELEASE #3: Wed Mar 31 14:59:17
> EST 1999     keith@work.xxx.com.au:/usr/src/sys/compile/WORK  i386
> </snip>
> 
> what is the '137.132.85.96' or who

It's the machine's hostname. Try typing 'hostname' or 'sysctl -n
kern.hostname' and see what it returns. BTW, this IP address belongs
to compl-r4.iscs.nus.sg, which seems to be your attacker.

My guess is that you typed 'hostname 137.132.85.96' instead of 'host
137.132.85.96' trying to look up the IP address. I can't see any
reason for the attacker to change your hostname to his IP address.

> Jun 27 19:13:41 work sshd[3005]: fatal: Local: Sorry, you are not allowed to
> connect.
> Jun 27 19:18:24 work telnetd[3014]: refused connect from compl-r4.iscs.nus.sg
> Jun 27 19:18:26 work telnetd[3015]: refused connect from compl-r4.iscs.nus.sg

Looks like a 'known services' scan turned down by TCP wrappers.

> Jun 27 17:06:59 work popper[1550]: @compl-r4.iscs.nus.sg: -ERR POP EOF received
> Jun 27 17:07:00 work popper[1552]: @compl-r4.iscs.nus.sg: -ERR POP EOF received
> Jun 27 17:07:03 work popper[1553]: @compl-r4.iscs.nus.sg: -ERR POP EOF received

He tried to exploit your POP server. Doesn't seem like he succeeded,
but I can't tell for sure.

Call the National University of Singapore (+65 8748026) and complain.
Don't email or fax; calling them voice forces them to take a decision
there and then, whereas email and faxes can be blackholed or answered
with form letters.

DES
-- 
Dag-Erling Smorgrav - des@flood.ping.uio.no


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?xzp6748im6j.fsf>