Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 11 May 1999 17:35:02 -0700 (PDT)
From:      Matthew Dillon <dillon@apollo.backplane.com>
To:        Jim Cassata <jim@web-ex.com>
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: new type of attack?
Message-ID:  <199905120035.RAA80884@apollo.backplane.com>
References:   <Pine.BSF.4.10.9905111458590.63800-100000@Homer.Web-Ex.com>
index | next in thread | previous in thread | raw e-mail 

:i just received this....
:
:>    We have been tracking a long series of subtle network probes that
:>use TCP packets constructed with ACK and RST bits set.  This bit
:>combination allows these packets to pass through common packet filters.
:>The attackers have breached many systems around the net, focusing on
:>Linux and FreeBSD systems.  These breached systems are used to either
:>receive directly or through packet sniffing the responses from forged
:>packets sent by the attackers.  On Sunday (5-9-99), we collected some
:>probe packets from address 209.54.43.133.  This host is called
:>sex.fiend.cx and appears to be part of your  network.  There is a strong
:>possiblity that this host or one very near it has been breached and is
:>being used to collect data probed from other networks.  Our logs go back
:>over a month and this is the first time this particular host has been
:>seen on our network.  The attackers seem to be able to move on to new
:>systems very quickly as there are apparently plenty of  vulnerable
:>systems to breach.  Our mail server was breached back in December and
:>was used for similar activities for 2 days.  The attackers created 2
:>accounts, udp and reboot.  The udp account had root privs and no
:>password.
:>
:>The time of the probe was 14:05 CDT
:
:has anyone seen this kind of thing? 
:
:Jim Cassata
:
:516.421.6000
:jim@web-ex.com
:
:Web Express
:20 Broadhollow Road
:Suite 3011
:Melville, NY 11747

    The network probe idea sounds interesting.  The breech in this person's
    mail server is probably the long-since-fixed root exploit in popper and 
    imapd... if he is still getting broken into, he is running out of date
    software.  The two are entirely separate issues.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905120035.RAA80884>