Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 27 Jun 1999 21:46:57 +1000 (EST)
From:      Keith Anderson <keith@apcs.com.au>
To:        Andrew McNaughton <andrew@scoop.co.nz>
Cc:        security@FreeBSD.ORG, questions@FreeBSD.ORG
Subject:   Re: Whats going on please
Message-ID:  <XFMail.990627214657.keith@apcs.com.au>
In-Reply-To: <199906271053.WAA01352@aniwa.sky>

next in thread | previous in thread | raw e-mail | index | archive | help
Hi Andrew

The version of popper is (v2.53) and the box is FreeBSD 3.1-REL.

The person is still trying to connect now.

I think I have closed all doors ATM. I have put tcp_wrappers on pop so only
local ip's can access mail. I will ftp in new source and remake a kernel. 

should I maybe cvs to 3.2-REL ? and make world 

The problem is, it's a remote site. 

If the hacker was in then I beleave he would stop trying all ports for access.

Thanks 

Keith


On 27-Jun-99 Andrew McNaughton wrote:
> 
> popper is a well known problem.  Search back through the archives of 
> freebsd-security for details.  Once one problem was found in popper, a series
> of other problems came to light.  I believe the problems that were identified
> have been fixed, but I don't know how comprehensively the source has been 
> analysed.
> 
> After getting root access (or presuming they had) through popper, they tried 
> to log in through ssh and telnet.  You have log entries from failed attempts,
> but I don't know your system well enough to comment on whether there were 
> successful logins also.  My guess is that they failed to get in the first 
> time, but may have succeeded in the second attack on popper.  Alternatively 
> they may have just gone away.
> 
> It's probable that if your version of popper is vulnerable then someone has 
> had root access to your machine, and potentially any change at all could have
> been made  to your setup.  To be really sure of your security you should 
> rebuild from backup, or failing that from a clean system install.
> 
> Looks like they were interested in the kmem user.  I don't know if that's 
> something to do with what is possible through the popper exploit, but it's 
> interesting that they didn't just go for root.  Is there some program which 
> runs as kmem but refuses to run as root that they might have been interested 
> in?
> 
> Andrew McNaughton
> 
> 
> 
> 
>> Hi All

<SNIP>


"The box said 'Requires Windows 95, NT, or better,' so I installed FreeBSD."

**  The thing I like most about Windows 98 is...
**  You can download FreeBSD with it!

----------------------------------
E-Mail: Keith Anderson <keith@apcs.com.au>
Australia Power Control Systems Pty. Limited.
Date: 27-Jun-99
Time: 21:38:32
Satelite Service 64K to 2Meg
This message was sent by XFMail
----------------------------------

What's the similarity between an air
conditioner and a computer? They both
stop working when you open windows.

----------------------------------



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XFMail.990627214657.keith>