Date: Thu, 16 Jul 1998 15:03:14 -0600 From: Brett Glass <brett@lariat.org> To: "Jan B. Koum " <jkb@best.com>, "L. Brett Glass" <rogue@well.com> Cc: chat@FreeBSD.ORG Subject: Re: We are under attack Message-ID: <199807162106.PAA07832@lariat.lariat.org> In-Reply-To: <Pine.BSF.3.96.980716131302.24161A-100000@shell6.ba.best.co m> References: <199807161958.MAA17474@well.com>
next in thread | previous in thread | raw e-mail | index | archive | help
At 01:28 PM 7/16/98 -0700, Jan B. Koum wrote: > Yeah, BSD and Linux exploits were posted on bugtraq a few weeks >ago. You do have a backup admin when you leave, right? :) Yes, but he's primarily an NT whiz. ;-S > www.hitman.com seem to be an ISP. Most likely they got 0wned with >same exploit, backdoored it and use it now to stage new attacks. I don't think so. Their InterNIC registration seems to use a fraudulently obtained e-mail address. I think they're hiding behind something. And, again, "eastcoast" implies a "westcoast", so this could be a nationwide thing. > Hehe.. guess what? FBI doesn't care unless you have at least 100K >loss or theft. This is a big public e-mail server. There's a LOT of valuable business data on it. (Or, I should say, there WAS. One thing about buffer overflow exploits is that they usually corrupt RAM. They sideswiped the disk cache and we experienced some disk corruption as a result: files with nonexistent owners, etc. We have good backups, but unfortunately the attack did go into the business day. >Qualcomm bug was mentioned here and on bugtraq. You have >excuse - you were gone. Someone else, if they don't know about qualcomm, >it is their fault. I first found info on it -- after I deduced that this was what was going on -- on CERT's Web site. They published the report on the 14th. I might have seen it earlier, but I was out of touch in the Scottish Highlands. > Now, about recovering .. suspect ALL your data. Get a new system. >Install 2.2.6 on it. Then cvsup to -stable and make world to make sure you >have all the patches. How long 'till 2.2.7? >Then move over user data only from /usr/home (or >other place where you have user data). Copy other files by hand and check >them for backdoors (/etc/crontab, /etc/aliases, etc, etc). Install >tripwire on your new system also. :) Only one problem: PASSWORDS may have been compromised, too. The crackers got root. Fortunately, we have a very small number of people with root privilege, and we can take care of all of them. But we still care about the users; we don't want their data compromised. I think the big mistake was in using ANYTHING from Qualcomm. Eudora Pro is incredibly buggy, bloated, and slow, and their tech support is the worst on Earth.... I should have known. Anyone know of a better POP server? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807162106.PAA07832>