From owner-freebsd-questions  Sun Aug  1 23:41:33 1999
Delivered-To: freebsd-questions@freebsd.org
Received: from cygnus.rush.net (cygnus.rush.net [209.45.245.133])
	by hub.freebsd.org (Postfix) with ESMTP id A4E1D1503C
	for <freebsd-questions@FreeBSD.ORG>; Sun,  1 Aug 1999 23:41:22 -0700 (PDT)
	(envelope-from bright@rush.net)
Received: from localhost (bright@localhost)
	by cygnus.rush.net (8.9.3/8.9.3) with SMTP id CAA13842;
	Mon, 2 Aug 1999 02:42:44 -0400 (EDT)
Date: Mon, 2 Aug 1999 02:42:42 -0400 (EDT)
From: Alfred Perlstein <bright@rush.net>
To: Greg Lehey <grog@lemis.com>
Cc: Jerry Raynor <jerryr@ComCAT.COM>, freebsd-questions@FreeBSD.ORG
Subject: Re: Getting Hacked threough POPPER
In-Reply-To: <19990802113251.K64532@freebie.lemis.com>
Message-ID: <Pine.BSF.3.96.990802023337.20420d-100000@cygnus.rush.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Mon, 2 Aug 1999, Greg Lehey wrote:

> On Sunday,  1 August 1999 at 21:48:09 -0400, Jerry Raynor wrote:
> > I'm using Sendmail 8.9 and FreeBSD 2.2.5-R (yes I know I have to upgrade,
> > I'm working on it).  I keep getting attacked through Popper and shortly
> > after I see such an attack they login with a username on my system.
> 
> Oops.
> 
> > How are they doing this 
> 
> Take a look at
> http://www.cert.org/advisories/CA-98.08.qpopper_vul.html, which
> describes it in some detail.
> 
> > and how can I stop it!?!
> 
> Install the latest version of popper.

After a complete reinstall!

It's essential that you backup all your data and do a reinstall
with a fixed version of popper.

It's trivial for an attacker to add even more backdoors to
your system so even after you fix/disable popper they can 
get in.

You want to make sure that no execuatables are in your "data"
as well.  Use tar to back it up after taking the system off the 
network and then after you reinstall (hopefully with a more recent
version of FreeBSD) unpack the backup and make sure to strip
any setuid-ness from your files:

mkdir extract
cd extract
tar xzvf path/to/your_compressed_tarfile.tgz
chmod -R a-s *

good luck,
-Alfred Perlstein - [bright@rush.net|bright@wintelcom.net] 
systems administrator and programmer
    Wintelcom - http://www.wintelcom.net/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message