From owner-freebsd-questions Fri Jun 4 13:32:37 1999 Delivered-To: freebsd-questions@freebsd.org Received: from resnet.uoregon.edu (resnet.uoregon.edu [128.223.144.32]) by hub.freebsd.org (Postfix) with ESMTP id 4240E15B14 for ; Fri, 4 Jun 1999 13:30:52 -0700 (PDT) (envelope-from dwhite@resnet.uoregon.edu) Received: from localhost (dwhite@localhost) by resnet.uoregon.edu (8.8.8/8.8.8) with ESMTP id NAA16297; Fri, 4 Jun 1999 13:30:48 -0700 (PDT) (envelope-from dwhite@resnet.uoregon.edu) Date: Fri, 4 Jun 1999 13:30:47 -0700 (PDT) From: Doug White To: Marco Masotti Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Popper unknown command (FreeBSD 2.1.6) In-Reply-To: <37569A8B.E3A735BD@tiscalinet.it> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 3 Jun 1999, Marco Masotti wrote: > > Hello. > I'm reviewing the log files accumulated on a bastion host > (FreeBSD 2.1.6-stable) and I've seen several messages in this pattern: > I think is the attempt of exploiting a breach in the popper program, but > I cannot realize which kind of attempt is that and whether it succeded > or not. > > Thanks for any hint! > > -Marco > > > Apr 28 19:46:12 lafaiette popper[1106]: @ip168.pool-310.flashnet.it: > -ERR Unknown command: > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P Someone is attempting to exploit a known bug in popper. You should upgrade popper immediately and check for any breakins. Based on the reaction of popper, you have probably been comprimised. Doug White Internet: dwhite@resnet.uoregon.edu | FreeBSD: The Power to Serve http://gladstone.uoregon.edu/~dwhite | www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message