Date: Mon, 2 Aug 1999 02:42:42 -0400 (EDT) From: Alfred Perlstein <bright@rush.net> To: Greg Lehey <grog@lemis.com> Cc: Jerry Raynor <jerryr@ComCAT.COM>, freebsd-questions@FreeBSD.ORG Subject: Re: Getting Hacked threough POPPER Message-ID: <Pine.BSF.3.96.990802023337.20420d-100000@cygnus.rush.net> In-Reply-To: <19990802113251.K64532@freebie.lemis.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 2 Aug 1999, Greg Lehey wrote: > On Sunday, 1 August 1999 at 21:48:09 -0400, Jerry Raynor wrote: > > I'm using Sendmail 8.9 and FreeBSD 2.2.5-R (yes I know I have to upgrade, > > I'm working on it). I keep getting attacked through Popper and shortly > > after I see such an attack they login with a username on my system. > > Oops. > > > How are they doing this > > Take a look at > http://www.cert.org/advisories/CA-98.08.qpopper_vul.html, which > describes it in some detail. > > > and how can I stop it!?! > > Install the latest version of popper. After a complete reinstall! It's essential that you backup all your data and do a reinstall with a fixed version of popper. It's trivial for an attacker to add even more backdoors to your system so even after you fix/disable popper they can get in. You want to make sure that no execuatables are in your "data" as well. Use tar to back it up after taking the system off the network and then after you reinstall (hopefully with a more recent version of FreeBSD) unpack the backup and make sure to strip any setuid-ness from your files: mkdir extract cd extract tar xzvf path/to/your_compressed_tarfile.tgz chmod -R a-s * good luck, -Alfred Perlstein - [bright@rush.net|bright@wintelcom.net] systems administrator and programmer Wintelcom - http://www.wintelcom.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.990802023337.20420d-100000>