From owner-freebsd-security  Wed Aug 26 21:57:12 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id VAA04868
          for freebsd-security-outgoing; Wed, 26 Aug 1998 21:57:12 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from shell6.ba.best.com (shell6.ba.best.com [206.184.139.137])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA04856
          for <freebsd-security@FreeBSD.ORG>; Wed, 26 Aug 1998 21:57:08 -0700 (PDT)
          (envelope-from jkb@best.com)
Received: from localhost (jkb@localhost)
	by shell6.ba.best.com (8.9.0/8.9.0/best.sh) with SMTP id VAA08883;
	Wed, 26 Aug 1998 21:55:56 -0700 (PDT)
X-Authentication-Warning: shell6.ba.best.com: jkb owned process doing -bs
Date: Wed, 26 Aug 1998 21:55:56 -0700 (PDT)
From: "Jan B. Koum " <jkb@best.com>
X-Sender: jkb@shell6.ba.best.com
To: Brendan Kosowski <brendan@bmk.com.au>
cc: FreeBSD Security <freebsd-security@FreeBSD.ORG>
Subject: Re: FreeBSD 2.2.5 Security Problem
In-Reply-To: <Pine.BSF.3.96.980827121129.2189A-100000@garfield.bmk.com.au>
Message-ID: <Pine.BSF.4.02A.9808262149230.7487-100000@shell6.ba.best.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


	You probably got broken into through popper. Are you running
	qualcomm version?
	
	I suspect intruders either replaced telnetd/login binaries or
	simply connect to popper to get a shell. They also modified wtmp
	files to hide their presence on they system.
	This issue (popper bug) has been discussed before on this list.
	Anyone running FreeBSD IMHO should be on this list AND bugtraq if
	they care about security at all.
	
	I'd re-install the OS at this point since you have no way of
	knowing where you might have a back door.
	FreeBSD security advisories are located at:
	ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/
        You will not see popper advisory in this directory since popper   
	is not part of the OS.
	
	If you do decide to re-install, take a look at
	www.best.com/~jkb/howto.txt for some basic steps one can take to
	make their FreeBSD a bit more secure out of the box.

-- Yan

www.best.com/~jkb/         Unix users of the world unite:
www.{free,open,net}bsd.org | www.linux.org | www.apache.org | www.perl.com
"Turn up the lights, I don't want to go home in the dark."

On Thu, 27 Aug 1998, Brendan Kosowski wrote:

>
>I suspect a regular security break-in on my FreeBSD 2.2.5 system for the
>following reasons :
>
>
>( Note1 : my system has a small number of users which I know well )
>( Note2 : my inetd.conf only enables FTPD, TELNETD & POPPER )
> 
>1. My Internet costs increased by 10 times last month.
>
>2. I often see 2 SHELLS running when I do a "ps -ax" even though I am the
>only person listed when I do a "who".
>
>3. My SYSLOG messages file has lots of telnetd "undefined errors" during
>times when NO ONE is using the system.
>
>
>Can anyone help me ???
>
>Does anyone have AN OFFICIAL LIST OF FreeBSD 2.2.5 SECURITY HOLES and
>HOW TO FIX THEM ???
>
>
>
>Thanks & Regards, Brendan...
>
>
>To Unsubscribe: send mail to majordomo@FreeBSD.org
>with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message