Date: Tue, 28 Jul 1998 14:11:24 PDT From: "Show Boat" <showboat@hotmail.com> To: security@FreeBSD.ORG Subject: Post qpopper trauma Message-ID: <19980728211125.14099.qmail@hotmail.com>
next in thread | raw e-mail | index | archive | help
I've just joined the security mailling list. I've read the charters, and I think I'm in line here. If I offend, please be gentle in your flaming. On Just 17th my 2.2.5 system was violated via the qpopper hack. Fortunately I came online during the hack, and was able to salvage the situation somewhat. I found the info on the qpopper exploit, and corrected my version. The intruders were busy when they were on (with root access.) They were attempting to recompile telnetd with their own little backdoor in it. I replaced all my telnetd stuff from a recent system backup. (I ran diff on the sources and was able to tell the code they added.) I recompiled the original, and thought all was well. I believed I had eliminated all trace of the intrusion, and eliminated any way they might have back in. However, it seems as though I was wrong. Last Friday, someone gained access to our system, and installed an eggdrop bot in our system. (hidden as well as could be.) This didn't come to my attention until this morning. The PID doesn't show up under 'ps aux'. If you grep specifically for that PID, it shows up as telnetd. They have a file called faqproxy, and a link telnetd@ -> faqproxy. The eggdrop does show under top though. same PID as that telnetd. I can't figure out how they gained access to the system this time. I am losing hair rapidly over this. They still have a some kind of shunt that gives them root access. (or so it seems.) I've scoured my messages. They ONLY thing I cannot account for is this: Jul 24 19:05:38 nefertiti popper[28212]: Client at "207.155.142.251" resolves to an unknown host name "ts010d47.pri-nj.concentric.net" That it is popper scares me. The time frame is appropriate, as the eggdrop was launched in the 7pm hour of Jul 24. I've looked through the 'last' log extensively. Again, nothing I cannot account for. Anyone with potential root access (sudo) logged from an IP I can account for. So I am against a wall. I cannot tell how access was gained, and I cannot guarantee that there aren't other nasties going on on the system. Thus, I am looking for some useful advice, or perhaps a security consult. If this is inappropriate for this list I apologize. I would be happy to continue this discussion through private e-mail. Thanks, Jeremy showboat@hotmail.com ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980728211125.14099.qmail>