From owner-freebsd-questions Sun Jun 27 3:55: 5 1999 Delivered-To: freebsd-questions@freebsd.org Received: from aniwa.sky (p2-max12.wlg.ihug.co.nz [216.100.145.2]) by hub.freebsd.org (Postfix) with ESMTP id EC615151B2; Sun, 27 Jun 1999 03:53:24 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from aniwa.sky (localhost [127.0.0.1]) by aniwa.sky (8.9.1a/8.9.1) with ESMTP id WAA01352; Sun, 27 Jun 1999 22:53:05 +1200 (NZST) Message-Id: <199906271053.WAA01352@aniwa.sky> X-Mailer: exmh version 2.0.2 2/24/98 To: Keith Anderson Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Whats going on please In-reply-to: Your message of "Sun, 27 Jun 1999 19:29:12 +1000." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 27 Jun 1999 22:53:04 +1200 From: Andrew McNaughton Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG popper is a well known problem. Search back through the archives of freebsd-security for details. Once one problem was found in popper, a series of other problems came to light. I believe the problems that were identified have been fixed, but I don't know how comprehensively the source has been analysed. After getting root access (or presuming they had) through popper, they tried to log in through ssh and telnet. You have log entries from failed attempts, but I don't know your system well enough to comment on whether there were successful logins also. My guess is that they failed to get in the first time, but may have succeeded in the second attack on popper. Alternatively they may have just gone away. It's probable that if your version of popper is vulnerable then someone has had root access to your machine, and potentially any change at all could have been made to your setup. To be really sure of your security you should rebuild from backup, or failing that from a clean system install. Looks like they were interested in the kmem user. I don't know if that's something to do with what is possible through the popper exploit, but it's interesting that they didn't just go for root. Is there some program which runs as kmem but refuses to run as root that they might have been interested in? Andrew McNaughton > Hi All > > I just noticed someone hacking. > > what has happend ? > > any help would be great. > > I have whats like a new kernel> > > I am the keith@work.xxx.com.au > > I have turned off all telnet/ssh/smtp/pop for now > > > root@137~#uname -a > FreeBSD 137.132.85.96 3.1-RELEASE FreeBSD 3.1-RELEASE #3: Wed Mar 31 14:59:17 > EST 1999 keith@work.xxx.com.au:/usr/src/sys/compile/WORK i386 > > > what is the '137.132.85.96' or who > > it should be work.xxx.com.au > > I have in /var/log/messages > > > Jun 27 19:13:41 work sshd[3005]: fatal: Local: Sorry, you are not allowed to > connect. > Jun 27 19:18:24 work telnetd[3014]: refused connect from compl-r4.iscs.nus.sg > Jun 27 19:18:26 work telnetd[3015]: refused connect from compl-r4.iscs.nus.sg > > > and > > > Jun 27 17:06:59 work popper[1550]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 17:07:00 work popper[1552]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 17:07:03 work popper[1553]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 07:09:04 work dnsserver: gethostby*.gethostanswer: asked for > "exnjld4avip.doubleclick.net", got "exnjld3avip. > doubleclick.net" > Jun 27 17:10:05 work popper[1579]: (v2.53) Unable to get canonical name of > client, err = 0 > Jun 27 17:12:40 work inetd[145]: ident/tcp: No such user 'kmem', service ignored > Jun 27 17:17:06 work popper[1637]: (v2.53) Unable to get canonical name of > client, err = 0 > Jun 27 17:18:47 work popper[1640]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 17:18:48 work popper[1642]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 17:18:48 work popper[1643]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > > > Hope you can help > > Thanking you > > Keith A > > > > > "The box said 'Requires Windows 95, NT, or better,' so I installed FreeBSD." > > ** The thing I like most about Windows 98 is... > ** You can download FreeBSD with it! > > ---------------------------------- > E-Mail: Keith Anderson > Australia Power Control Systems Pty. Limited. > Date: 27-Jun-99 > Time: 18:59:43 > Satelite Service 64K to 2Meg > This message was sent by XFMail > ---------------------------------- > > What's the similarity between an air > conditioner and a computer? They both > stop working when you open windows. > > ---------------------------------- > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Andrew McNaughton +64 4 389 6891 andrew@scoop.co.nz http://www.scoop.co.nz/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message