From owner-freebsd-security Tue Mar 20 2:51:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from closed-networks.com (shady.org [195.153.248.241]) by hub.freebsd.org (Postfix) with SMTP id 3044537B719 for ; Tue, 20 Mar 2001 02:51:38 -0800 (PST) (envelope-from marcr@closed-networks.com) Received: (qmail 15197 invoked by uid 1000); 20 Mar 2001 10:52:14 -0000 Date: Tue, 20 Mar 2001 10:52:14 +0000 From: Marc Rogers To: freebsd-security@freebsd.org Subject: Re: Odd event -- possible security hole or DoS? Message-ID: <20010320105214.J10016@shady.org> References: <4.3.2.7.2.20010319172800.00cf9c60@localhost> <4.3.2.7.2.20010319172800.00cf9c60@localhost> <20010319223615.B14837@xor.obsecurity.org> <4.3.2.7.2.20010320001710.00d88950@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.4i In-Reply-To: <4.3.2.7.2.20010320001710.00d88950@localhost>; from brett@lariat.org on Tue, Mar 20, 2001 at 12:19:15AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You mentioned that the box was a popmail server? what popmail system, and was it running through in inetd? In my past I had to maintain some fairly heavy load 2.2.8 boxes with qualcomms qpopper running from inetd, and i saw some very similar behaviour. In the end this was why I eventualy moved that particular client away from running stuff out of inetd and towards using tcpserver. Without seeing process logs and in depth netstat output I suspect that it will be impossible for anyone to absolutely quantify this. Perhaps the kid was using octopus.c in the future I would suggest that you install something like snort and or iplog. Keep lsof handy too. Then if you really want to sit and wait for it to happen, you can give us all some meaty logs to work with :) I would suggest not worrying about it though and just upgrading that system to 4.2-STABLE before the kid (if it wasnt just a naturally occurring inetd cockup) finds some old exploits and roots you. Marc Rogers Head of Network Operations & Security EDC Group On Tue, Mar 20, 2001 at 12:19:15AM -0700, Brett Glass wrote: > At 11:36 PM 3/19/2001, Kris Kennaway wrote: > > >I can't even begin to remember all of the TCP, kernel and application > >bugs fixed in the 2 1/2 years since 2.2.8. There are probably a > >number of ways someone could have caused something like this. > > I guess what I'm concerned about is that I don't know if it's > an intentional DoS and/or if it's present in current versions. > I'll try to do some testing to see if I can lock up inetd > on that system again via finger. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message