Date: Thu, 16 Jul 1998 12:58:39 -0700 (PDT) From: "L. Brett Glass" <rogue@well.com> To: chat@FreeBSD.ORG Subject: We are under attack Message-ID: <199807161958.MAA17474@well.com>
next in thread | raw e-mail | index | archive | help
Our FreeBSD server has been under attack for the past 24 hours by crackers seeking to exploit a buffer overflow bug in Qualcomm's QPopper POP3 server. I just got back from a two-week honeymoon and had not heard about the potential exploit when we got hit. I figured out what was going on from the system logs, which showed large amounts of bogus input to the daemon. The attacks seem to be originating from a domain in New York City; the name of the system is "eastcoast.hitnet.org" (AKA "hitman.com"). From the sound of it, this is an organized, nationwide group. They obviously have experience with FreeBSD, as they compiled Trojan horse versions of at least two system utilities and replaced the existing ones with them. I realized we'd been "rooted" when I saw that these files, which were owned by root:wheel, had been replace. We've contacted the FBI and hope for a speedy response. In the meantime, don't wait; if you're using FreeBSD with the Qualcomm POP3 server, get the new one NOW. It may also be a good idea to block traffic from the subnet 207.198.185.X, where the attacks on our system originated. Help from the FreeBSD community in recovering from this root compromise would be MUCH appreciated. --Brett Glass (normally brett@lariat.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807161958.MAA17474>