From owner-freebsd-questions Tue Jul 28 21:21:27 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id VAA04357 for freebsd-questions-outgoing; Tue, 28 Jul 1998 21:21:27 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from lucy.bedford.net (lucy.bedford.net [206.99.145.54]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id VAA04350 for ; Tue, 28 Jul 1998 21:21:21 -0700 (PDT) (envelope-from listread@lucy.bedford.net) Received: (from listread@localhost) by lucy.bedford.net (8.8.8/8.8.8) id AAA23973; Wed, 29 Jul 1998 00:20:41 -0400 (EDT) (envelope-from listread) Message-Id: <199807290420.AAA23973@lucy.bedford.net> Subject: Re: version 2.1.0 and a hacker I can't keep out In-Reply-To: <199807290012.TAA10736@red.kd0yu.com> from Dave Helton at "Jul 28, 98 08:02:16 pm" To: dave@kd0yu.com Date: Wed, 29 Jul 1998 00:20:41 -0400 (EDT) Cc: questions@FreeBSD.ORG X-no-archive: yes Reply-to: djv@bedford.net From: CyberPeasant X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Dave Helton wrote: > Dear Sirs, > > Frustration is running high! > I am using ver 2.1.0-RELEASE. Have ordered the latest > (v2.6.6-RELEASE) from cdrom.com So... before it's installed I would > still like to know how the hell he's doing it. >From a script. He's hammering a buffer overrun in qpopper. > I get the following: > > Jul 28 14:03:33 home popper[1027]: -ERR Unknown command: > "^P^P^P^P^P^P^P^P^P^P^P .... > Jul 28 14:03:49 home popper[1028]: (v2.1.4-R3) Servicing request from > "usimsptc2 -146.usinternet.com" at 208.160.34.146 Looks like a dialup account. Is it always the same IPA? Might be spoofed. > As you can see... I know where he's coming from. I find that he > hammers away on port 110 with these control-p's till the popper > exits. Afterwards the log files show missing hours of time and my > system is trashed. > > I am sure part of the answer will be that ver 2.2.6 will fix it with > the firewall and all... but I would still like an answer from some > one with a handle on just what I am looking at. I have been plagued > with this guy now for a week and have been loosing sleep over it. I > would appreciate some inside information on how this is done and how > to prevent it. Well, this is, I think, a common script kidz game. It's been out for a couple of months, IIRC. Heh, I don't crack, and I don't run qpopper, but I've heard of it. a) Get the latest qpopper port, and build it from source. b) In conjunction with law enforcement and her ISP, prosecute the intruder. law enforcement = FBI, probably. Make her squeal. d) In future, subscribe to the bugtraq mailing list, or at least the CERT bulletins, and the freebsd-security list. www.???.org for details. e) From time to time, visit www.rootshell.com to see what the lamerz are up to. d) and e) are minimal duties if you're providing services to others. Visit the CERT website and get their stuff about inspecting your system for root compromise. The holes in old qpoppers are wide and deep. Some people are annoyed by using "hacker" to describe a criminal. Leave that to CNN. It's like referring to a burglar as a "carpenter" ;) Dave -- Sancho Panza: `Microsoft Windows NT Server is the most secure network operating system available.' Don Quixote: `You are mistaken, Sancho.' To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message