Date: Mon, 15 Jan 2001 00:52:47 +1000 From: "Doug Young" <dougy@bryden.apana.org.au> To: <freebsd-questions@FreeBSD.ORG> Subject: security issue with 4.2 Message-ID: <014d01c07e39$aa566c00$847e03cb@apana.org.au>
next in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] I'd appreciate feedback from the list on the following issue. As far as I can tell, the attempted intrusion was not successful, however I think its probably time to take another look at increasing security measures & hopefully someone can suggest sources of suitable documentation. I tend to rely fairly heavily on the user-friendly sites such as bsdvault.net & freebsddiary.org but if there's other sources of fairly explicit info on this subject I'd be very interested in knowing. Some weeks after installing 4.2 & instituting as many security features as I considered reasonable for a machine with nothing of particular value on it, I discovered the following entries in /var/log/messages Jan 14 11:52:41 bryden ftpd [32545]: /etc/pwd.db: No such file or directory Jan 14 12:04:50 bryden ftpd [32559]: /etc/pwd.db: No such file or directory which I presume means some vandal was intent on mischief The IP of the culprit is "216.232.154.85", nslookup tells me that belongs to "atg93398y2j4.bc.hsia.telus.net" Since the number resolves to a name I figure the user probably has a permanent account with telus.net, so notification of the telus.net webmaster is in order. [-- Attachment #2 --] <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <META content="MSHTML 5.50.4134.600" name=GENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=#ffffff> <DIV><FONT face=Arial size=2>I'd appreciate feedback from the list on the following issue. As far as I can tell, the attempted intrusion was not successful, however I think its probably time to take another look at increasing security measures & hopefully someone can suggest sources of suitable documentation. I tend to rely fairly heavily on the user-friendly sites such as bsdvault.net & freebsddiary.org but if there's other sources of fairly explicit info on this subject I'd be very interested in knowing.</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Some weeks after installing 4.2 & instituting as many security features as I considered </FONT></DIV> <DIV><FONT face=Arial size=2>reasonable for a machine with nothing of particular value on it, I discovered the following entries in /var/log/messages</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Jan 14 11:52:41 bryden ftpd [32545]: /etc/pwd.db: No such file or directory</FONT></DIV> <DIV> <DIV><FONT face=Arial size=2>Jan 14 12:04:50 bryden ftpd [32559]: /etc/pwd.db: No such file or directory</FONT></DIV></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>which I presume means some vandal was intent on mischief </FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>The IP of the culprit is "216.232.154.85", nslookup tells me that belongs to</FONT></DIV> <DIV><FONT face=Arial size=2>"atg93398y2j4.bc.hsia.telus.net"</FONT></DIV> <DIV><FONT face=Arial size=2></FONT> </DIV> <DIV><FONT face=Arial size=2>Since the number resolves to a name I figure the user probably has a permanent account with telus.net, so notification of the telus.net webmaster is in order. </FONT></DIV></BODY></HTML>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?014d01c07e39$aa566c00$847e03cb>