From owner-freebsd-chat  Thu Jul 16 12:59:00 1998
Return-Path: <owner-freebsd-chat@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA04458
          for freebsd-chat-outgoing; Thu, 16 Jul 1998 12:59:00 -0700 (PDT)
          (envelope-from owner-freebsd-chat@FreeBSD.ORG)
Received: from smtp.well.com (smtp.well.com [206.80.6.147])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA04449
          for <chat@freebsd.org>; Thu, 16 Jul 1998 12:58:58 -0700 (PDT)
          (envelope-from rogue@well.com)
Received: from well.com (nobody@well.com [206.15.64.10])
          by smtp.well.com (8.8.6/8.8.4) with ESMTP
	  id MAA23154 for <chat@freebsd.org>; Thu, 16 Jul 1998 12:58:40 -0700 (PDT)
Received: (from rogue@localhost) by well.com (8.8.5/8.8.5) id MAA17474 for chat@freebsd.org; Thu, 16 Jul 1998 12:58:39 -0700 (PDT)
Date: Thu, 16 Jul 1998 12:58:39 -0700 (PDT)
From: "L. Brett Glass" <rogue@well.com>
Message-Id: <199807161958.MAA17474@well.com>
To: chat@FreeBSD.ORG
Subject: We are under attack
Sender: owner-freebsd-chat@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Our FreeBSD server has been under attack for the past 24 hours by crackers
seeking to exploit a buffer overflow bug in Qualcomm's QPopper POP3 server.
I just got back from a two-week honeymoon and had not heard about the
potential exploit when we got hit. I figured out what was going on from
the system logs, which showed large amounts of bogus input to the daemon.

The attacks seem to be originating from a domain in New York City; the name
of the system is "eastcoast.hitnet.org" (AKA "hitman.com").  From the sound
of it, this is an organized, nationwide group. They obviously have experience
with FreeBSD, as they compiled Trojan horse versions of at least two system
utilities and replaced the existing ones with them. I realized we'd been
"rooted" when I saw that these files, which were owned by root:wheel,
had been replace.

We've contacted the FBI and hope for a speedy response. In the meantime,
don't wait; if you're using FreeBSD with the Qualcomm POP3 server, get
the new one NOW. It may also be a good idea to block traffic from the subnet
207.198.185.X, where the attacks on our system originated. Help from the
FreeBSD community in recovering from this root compromise would be MUCH
appreciated.

--Brett Glass (normally brett@lariat.org)


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-chat" in the body of the message