Date: Mon, 15 Jan 2001 00:52:47 +1000 From: "Doug Young" <dougy@bryden.apana.org.au> To: <freebsd-questions@FreeBSD.ORG> Subject: security issue with 4.2 Message-ID: <014d01c07e39$aa566c00$847e03cb@apana.org.au>
next in thread | raw e-mail | index | archive | help
This is a multi-part message in MIME format. ------=_NextPart_000_014A_01C07E8D.7ADD8400 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable I'd appreciate feedback from the list on the following issue. As far as = I can tell, the attempted intrusion was not successful, however I think = its probably time to take another look at increasing security measures & = hopefully someone can suggest sources of suitable documentation. I tend = to rely fairly heavily on the user-friendly sites such as bsdvault.net & = freebsddiary.org but if there's other sources of fairly explicit info on = this subject I'd be very interested in knowing. Some weeks after installing 4.2 & instituting as many security features = as I considered=20 reasonable for a machine with nothing of particular value on it, I = discovered the following entries in /var/log/messages Jan 14 11:52:41 bryden ftpd [32545]: /etc/pwd.db: No such file or = directory Jan 14 12:04:50 bryden ftpd [32559]: /etc/pwd.db: No such file or = directory which I presume means some vandal was intent on mischief=20 The IP of the culprit is "216.232.154.85", nslookup tells me that = belongs to "atg93398y2j4.bc.hsia.telus.net" Since the number resolves to a name I figure the user probably has a = permanent account with telus.net, so notification of the telus.net = webmaster is in order.=20 ------=_NextPart_000_014A_01C07E8D.7ADD8400 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4134.600" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2>I'd appreciate feedback from the list = on the=20 following issue. As far as I can tell, the attempted intrusion was not=20 successful, however I think its probably time to take another look at = increasing=20 security measures & hopefully someone can suggest sources of = suitable=20 documentation. I tend to rely fairly heavily on the user-friendly sites = such as=20 bsdvault.net & freebsddiary.org but if there's other sources of = fairly=20 explicit info on this subject I'd be very interested in = knowing.</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Some weeks after installing 4.2 & = instituting=20 as many security features as I considered </FONT></DIV> <DIV><FONT face=3DArial size=3D2>reasonable for a machine with nothing = of particular=20 value on it, I discovered the following entries in=20 /var/log/messages</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Jan 14 11:52:41 bryden ftpd [32545]: = /etc/pwd.db:=20 No such file or directory</FONT></DIV> <DIV> <DIV><FONT face=3DArial size=3D2>Jan 14 12:04:50 bryden ftpd [32559]: = /etc/pwd.db:=20 No such file or directory</FONT></DIV></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>which I presume means some vandal was = intent on=20 mischief </FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>The IP of the culprit is = "216.232.154.85", nslookup=20 tells me that belongs to</FONT></DIV> <DIV><FONT face=3DArial = size=3D2>"atg93398y2j4.bc.hsia.telus.net"</FONT></DIV> <DIV><FONT face=3DArial size=3D2></FONT> </DIV> <DIV><FONT face=3DArial size=3D2>Since the number resolves to a name I = figure the=20 user probably has a permanent account with telus.net, so notification of = the=20 telus.net webmaster is in order. </FONT></DIV></BODY></HTML> ------=_NextPart_000_014A_01C07E8D.7ADD8400-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?014d01c07e39$aa566c00$847e03cb>