From owner-freebsd-security Tue May 18 17: 4:56 1999 Delivered-To: freebsd-security@freebsd.org Received: from adelphi.physics.adelaide.edu.au (adelphi.physics.adelaide.edu.au [129.127.36.247]) by hub.freebsd.org (Postfix) with ESMTP id CC77914D52 for ; Tue, 18 May 1999 17:04:51 -0700 (PDT) (envelope-from kkennawa@physics.adelaide.edu.au) Received: from bragg (bragg [129.127.36.34]) by adelphi.physics.adelaide.edu.au (8.8.8/8.8.8/UofA-1.5) with SMTP id JAA07492; Wed, 19 May 1999 09:34:50 +0930 (CST) Received: from localhost by bragg; (5.65/1.1.8.2/05Aug95-0227PM) id AA09371; Wed, 19 May 1999 09:35:40 +0930 Date: Wed, 19 May 1999 09:35:39 +0930 (CST) From: Kris Kennaway X-Sender: kkennawa@bragg To: Keith Stevenson Cc: freebsd-security@freebsd.org Subject: Re: Interesting Attack In-Reply-To: <19990518085043.A6970@homer.louisville.edu> Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 18 May 1999, Keith Stevenson wrote: > We just had a Linux box fall victim to the WuFTPD/realpath(3) exploit. The > cracker installed a slew of IRC tools, a sniffer, and a scanner which behaved > very similarly to what you described. Thankfully it was on a switched network > which limited the damage done by the sniffer, and the script-kiddie who broke > in neglected to install the trojans included in his root-kit. This made the > ircd very easy to find once the Linux-user noticed that his system load was > awfully high. > > Anyway, since this thing had "root-kit" written all over it, it wouldn't > surprise me in the slightest if there are lots of broken linux boxen on the > internet running these scans. I thought of that too in my case, but port-scanning some of the originating boxes showed no common threads other than they were all running IRC daemons. nmap reported a wide range of OSes, too (including a lot of BSDs), and from correspondence with the admins they showed nothing out of the ordinary on their systems.. Kris > Regards, > --Keith Stevenson-- > > -- > Keith Stevenson > System Programmer - Data Center Services - University of Louisville > k.stevenson@louisville.edu > PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message