From owner-freebsd-security  Tue May 11 15:57:38 1999
Delivered-To: freebsd-security@freebsd.org
Received: from Homer.Web-Ex.com (homer.web-ex.com [209.54.66.254])
	by hub.freebsd.org (Postfix) with ESMTP id C212D1514F
	for <freebsd-security@freebsd.org>; Tue, 11 May 1999 15:57:35 -0700 (PDT)
	(envelope-from jim@web-ex.com)
Received: from localhost (jim@localhost)
	by Homer.Web-Ex.com (8.9.3/8.9.3) with ESMTP id SAA64508
	for <freebsd-security@freebsd.org>; Tue, 11 May 1999 18:57:38 -0400 (EDT)
X-Authentication-Warning: Homer.Web-Ex.com: jim owned process doing -bs
Date: Tue, 11 May 1999 18:57:38 -0400 (EDT)
From: Jim Cassata <jim@web-ex.com>
To: freebsd-security@freebsd.org
Subject: new type of attack?
Message-ID: <Pine.BSF.4.10.9905111458590.63800-100000@Homer.Web-Ex.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

i just received this....

>    We have been tracking a long series of subtle network probes that
>use TCP packets constructed with ACK and RST bits set.  This bit
>combination allows these packets to pass through common packet filters.
>The attackers have breached many systems around the net, focusing on
>Linux and FreeBSD systems.  These breached systems are used to either
>receive directly or through packet sniffing the responses from forged
>packets sent by the attackers.  On Sunday (5-9-99), we collected some
>probe packets from address 209.54.43.133.  This host is called
>sex.fiend.cx and appears to be part of your  network.  There is a strong
>possiblity that this host or one very near it has been breached and is
>being used to collect data probed from other networks.  Our logs go back
>over a month and this is the first time this particular host has been
>seen on our network.  The attackers seem to be able to move on to new
>systems very quickly as there are apparently plenty of  vulnerable
>systems to breach.  Our mail server was breached back in December and
>was used for similar activities for 2 days.  The attackers created 2
>accounts, udp and reboot.  The udp account had root privs and no
>password.
>
>The time of the probe was 14:05 CDT

has anyone seen this kind of thing? 

Jim Cassata

516.421.6000
jim@web-ex.com

Web Express
20 Broadhollow Road
Suite 3011
Melville, NY 11747



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message