Date: Sun, 5 Jul 1998 19:32:50 +0930 From: Greg Lehey <grog@lemis.com> To: Scot Elliott <scot@planet-three.com>, freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Alert: Qualcomm POP Server Message-ID: <19980705193250.N18970@freebie.lemis.com> In-Reply-To: <Pine.BSF.3.96.980705100321.19331A-100000@tweetie.online.barbour-index.co.uk>; from Scot Elliott on Sun, Jul 05, 1998 at 10:14:58AM %2B0100 References: <Pine.BSF.3.96.980705100321.19331A-100000@tweetie.online.barbour-index.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday, 5 July 1998 at 10:14:58 +0100, Scot Elliott wrote: > Morning all. > > I caught someone last night with a root shell on our mail server. I > traced it back to somewhere in the US, but unfortunately got locked out > and the log files removed before I had time to fix it ;-( > > I shut the machine down remotely by mounting /usr over NFS and changing > /usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh? > ;-) > > Anyway - the point is that is looks like some kind of buffer overflow in > the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P... > messages from popper in the log file before it was removed. There was an > extra line in /etc/inetd.conf which ran a shell as root on some port I > wasn't using (talk I think). So I'm guessing that the exploit allows > anyone to run any command as root. Nice. Whomever it was was having a > whale of a time with my C compiler for some reason... very dodgy. > > If I can find out the source of this then I'd like to follow it up. Does > anyone have experience of chasing this sort of thing from across the US > border? Also, of course, everyone should check their popper version. Yes, it looks as if your assessment was right. The problem was fixed on June 28. Greg -- See complete headers for address and phone numbers finger grog@lemis.com for PGP public key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980705193250.N18970>