From owner-freebsd-security Tue May 11 17:35:11 1999 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id DBCB114E04 for ; Tue, 11 May 1999 17:35:09 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id RAA80884; Tue, 11 May 1999 17:35:02 -0700 (PDT) (envelope-from dillon) Date: Tue, 11 May 1999 17:35:02 -0700 (PDT) From: Matthew Dillon Message-Id: <199905120035.RAA80884@apollo.backplane.com> To: Jim Cassata Cc: freebsd-security@FreeBSD.ORG Subject: Re: new type of attack? References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :i just received this.... : :> We have been tracking a long series of subtle network probes that :>use TCP packets constructed with ACK and RST bits set. This bit :>combination allows these packets to pass through common packet filters. :>The attackers have breached many systems around the net, focusing on :>Linux and FreeBSD systems. These breached systems are used to either :>receive directly or through packet sniffing the responses from forged :>packets sent by the attackers. On Sunday (5-9-99), we collected some :>probe packets from address 209.54.43.133. This host is called :>sex.fiend.cx and appears to be part of your network. There is a strong :>possiblity that this host or one very near it has been breached and is :>being used to collect data probed from other networks. Our logs go back :>over a month and this is the first time this particular host has been :>seen on our network. The attackers seem to be able to move on to new :>systems very quickly as there are apparently plenty of vulnerable :>systems to breach. Our mail server was breached back in December and :>was used for similar activities for 2 days. The attackers created 2 :>accounts, udp and reboot. The udp account had root privs and no :>password. :> :>The time of the probe was 14:05 CDT : :has anyone seen this kind of thing? : :Jim Cassata : :516.421.6000 :jim@web-ex.com : :Web Express :20 Broadhollow Road :Suite 3011 :Melville, NY 11747 The network probe idea sounds interesting. The breech in this person's mail server is probably the long-since-fixed root exploit in popper and imapd... if he is still getting broken into, he is running out of date software. The two are entirely separate issues. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message