Date: Sat, 30 Dec 2006 14:04:22 +1100 From: jonathan michaels <jlm@caamora.com.au> To: gareth <bsd@lordcow.org> Cc: stable@freebsd.org Subject: Re: system breach Message-ID: <20061230140421.52408@caamora.com.au> In-Reply-To: <20061229205436.GB6029@lordcow.org>; from gareth on Fri, Dec 29, 2006 at 10:54:36PM %2B0200 References: <20061228231226.GA16587@lordcow.org> <b91012310612282010m22a6bbdbp97bf7bdecca1530@mail.gmail.com> <20061229155845.GA1266@lordcow.org> <45954196.9040909@saeab.se> <20061229173916.GA3196@lordcow.org> <20061229181606.GA83815@icarus.home.lan> <20061229205436.GB6029@lordcow.org>
next in thread | previous in thread | raw e-mail | index | archive | help
gareth On Fri, Dec 29, 2006 at 10:54:36PM +0200, gareth wrote: > On Fri 2006-12-29 (10:16), Jeremy Chadwick wrote: with regards to you last post to me (personal) i had installed freebsd v6.1-release and setup xwindows (both kde & gnome) desktop environments, then left teh machine sit and settle. the machine is a compaq proliant 5500 with 2 PIII Xeon 550/100 L2 Cache off 1 mb . it has a 45 gb raid5 array (35 gb data/10 gb raid indexing etc) this is built ontop of a SMART-2/P array controller with a pair od symbiosis scsi3 host adapters. the machine is sitting idle on a shelf while i get several dozen dlt-IV tapes that i've ordered for the DLT-7000 scsi tape streamer so that i can save teh image/filesystems to tape then scour the disks clean and start again. its got a dorectory in teh root fs and several othe files pepered all over teh array and many endries in teh systems logs all started on or about 22 november about 11 pm i think .. sorry the machine is running something else at teh moment and its a bit too hard to get the relevent details but if itis of any valu e to you or anyone-else i'd be happy to run up freebsd v6.1-release and get teh details for you. the compromise seems to be a sshd couple to a X11 subsystem sned out pornography type of attack. as i told you earlier i've contacted aus-cert and give tehm teh open port numbers which they confirmed as a current local compromise thats been peretrated by several fellows in china (mainland) hongkong and from indonesia as well, it is apparent reasonably well know gang that is doing this, could be targeting anyone with freebsd v6.1-release or more likely the version of kde/gnome that installed with freebsd v6.1-release. one thing to note that is freebsd warns after installation (that is after teh first night time maintenance run) the security mail list 18 or so packages as being know to be compromiseable and or weak in that respect. i didn't think much of it as i wasn't going to be using teh machine, just let it run up as it was new (to me) its recycled from another life and is some 10 years old (pretty new in my meuseum, big grin) if anyone else is interested in details i'd be happy to furnish details off list most kind regards jonathan also, best wishes for the coming new year and hope that you christmas was happy holy safe and incident free. -- ================================================================ powered by .. QNX, OS9 and freeBSD -- http://caamora com au/operating system ==== === appropriate solution in an inappropriate world === ====
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061230140421.52408>