Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 5 Jul 1998 10:49:55 -0400 (EDT)
From:      Matt Behrens <matt@megaweapon.zigg.com>
To:        Scot Elliott <scot@planet-three.com>
Cc:        freebsd-isp@FreeBSD.ORG, freebsd-security@FreeBSD.ORG
Subject:   Re: Security Alert: Qualcomm POP Server
Message-ID:  <Pine.BSF.3.96.980705104849.15530A-100000@megaweapon.zigg.com>
In-Reply-To: <Pine.BSF.3.96.980705100321.19331A-100000@tweetie.online.barbour-index.co.uk>

next in thread | previous in thread | raw e-mail | index | archive | help
This is the bug mentioned on BUGTRAQ about two weeks ago.  A friend of mine
got hit as well by "well-meaning" attackers.  Blah.

In any case, he upgraded to 2.52 of popper and is now immune to at least the
script kiddie attacks.

On Sun, 5 Jul 1998, Scot Elliott wrote:

> Morning all.
> 
> I caught someone last night with a root shell on our mail server.  I
> traced it back to somewhere in the US, but unfortunately got locked out
> and the log files removed before I had time to fix it ;-(
> 
> I shut the machine down remotely by mounting /usr over NFS and changing
> /usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh?
> ;-)
> 
> Anyway - the point is that is looks like some kind of buffer overflow in
> the POP daemon that ships with FreeBSD 2.2.6.  I noticed lots of ^P^P^P...
> messages from popper in the log file before it was removed.  There was an
> extra line in /etc/inetd.conf which ran a shell as root on some port I
> wasn't using (talk I think).  So I'm guessing that the exploit allows
> anyone to run any command as root.  Nice.  Whomever it was was having a
> whale of a time with my C compiler for some reason... very dodgy.
> 
> If I can find out the source of this then I'd like to follow it up.  Does
> anyone have experience of chasing this sort of thing from across the US
> border?  Also, of course, everyone should check their popper version.
> 
> Cheers
> 
> 
> Yours - Scot.
> 
> 
> -----------------------------------------------------------------------------
> Scot Elliott (scot@poptart.org, scot@nic.cx)	| Work: +44 (0)171 7046777
> PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019
> -----------------------------------------------------------------------------
> Public key available by finger at:   finger scot@poptart.org
> 			    or at:   http://www.poptart.org/pgpkey.html
> 
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe security" in the body of the message
> 

Matt Behrens <matt@zigg.com>          | http://www.zigg.com/
Network Operations, The Iserv Company | Proudly running FreeBSD; sworn
MIS, Michigan Kenworth, Inc.          | enemy of Linux, a free hack OS
Chanop Script Coordinator, WWFIN      | and Windows, a non-free hack OS!


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980705104849.15530A-100000>