Date: Tue, 11 May 1999 18:57:38 -0400 (EDT) From: Jim Cassata <jim@web-ex.com> To: freebsd-security@freebsd.org Subject: new type of attack? Message-ID: <Pine.BSF.4.10.9905111458590.63800-100000@Homer.Web-Ex.com>
next in thread | raw e-mail | index | archive | help
i just received this.... > We have been tracking a long series of subtle network probes that >use TCP packets constructed with ACK and RST bits set. This bit >combination allows these packets to pass through common packet filters. >The attackers have breached many systems around the net, focusing on >Linux and FreeBSD systems. These breached systems are used to either >receive directly or through packet sniffing the responses from forged >packets sent by the attackers. On Sunday (5-9-99), we collected some >probe packets from address 209.54.43.133. This host is called >sex.fiend.cx and appears to be part of your network. There is a strong >possiblity that this host or one very near it has been breached and is >being used to collect data probed from other networks. Our logs go back >over a month and this is the first time this particular host has been >seen on our network. The attackers seem to be able to move on to new >systems very quickly as there are apparently plenty of vulnerable >systems to breach. Our mail server was breached back in December and >was used for similar activities for 2 days. The attackers created 2 >accounts, udp and reboot. The udp account had root privs and no >password. > >The time of the probe was 14:05 CDT has anyone seen this kind of thing? Jim Cassata 516.421.6000 jim@web-ex.com Web Express 20 Broadhollow Road Suite 3011 Melville, NY 11747 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9905111458590.63800-100000>