Date: Fri, 7 Aug 1998 14:11:20 -0700 (PDT) From: Doug White <dwhite@resnet.uoregon.edu> To: Greg Quinlan <gquinlan@qmpgmc.ac.uk> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: MSCAN - named - Vulnerability Message-ID: <Pine.BSF.4.00.9808071408370.15104-100000@resnet.uoregon.edu> In-Reply-To: <01bdc224$ad8f41e0$380051c2@greg.qmpgmc.ac.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 7 Aug 1998, Greg Quinlan wrote: > Further to the message regarding MSCAN here is a transcipt from the > system log of someone overloading my name server and trying to hack my > system. If you are wondering who it was: > > Aug 6 02:00:03 dns1 named[155]: named.3.81.194.rev: WARNING SOA retry value is less then maintainance interval (300 < 900) > Aug 6 02:00:03 dns1 named[155]: named.4.81.194.rev: WARNING SOA retry value is less then maintainance interval (300 < 900) > Aug 6 02:00:03 dns1 named[155]: named.5.81.194.rev: WARNING SOA retry value is less then maintainance interval (300 < 900) > Aug 6 02:00:03 dns1 named[155]: named.6.81.194.rev: WARNING SOA retry value is less then maintainance interval (300 < 900) > Aug 6 02:00:03 dns1 named[155]: named.7.81.194.rev: WARNING SOA retry value is less then maintainance interval (300 < 900) > Aug 6 02:00:03 dns1 named[155]: Ready to answer queries. This is the normal startup sequence for named. note the last item. Odd restart time though, that's usually when the system maintenance runs. > Here is where they tried to hack something else? > Aug 6 02:53:54 dns1 popper[1292]: (v2.4b2) Unable to get canonical name of client, err = 9 > Aug 6 02:53:54 dns1 popper[1292]: @[164.138.210.56]: -ERR POP EOF received > Aug 6 02:53:58 dns1 popper[1294]: (v2.4b2) Unable to get canonical name of client, err = 9 > Aug 6 02:53:58 dns1 popper[1294]: @[164.138.210.56]: -ERR POP EOF received > Aug 6 02:55:06 dns1 popper[1302]: (v2.4b2) Unable to get canonical name of client, err = 9 > Aug 6 02:55:06 dns1 popper[1302]: @[164.138.210.56]: -ERR POP EOF received > Aug 6 02:55:10 dns1 popper[1304]: (v2.4b2) Unable to get canonical name of client, err = 9 > Aug 6 02:55:10 dns1 popper[1304]: @[164.138.210.56]: -ERR POP EOF received > Aug 6 02:59:36 dns1 popper[1310]: (v2.4b2) Unable to get canonical name of client, err = 9 > Aug 6 02:59:36 dns1 popper[1310]: @[164.138.210.56]: -ERR POP EOF received > Aug 6 02:59:43 dns1 popper[1312]: (v2.4b2) Unable to get canonical name of client, err = 9 > Aug 6 02:59:43 dns1 popper[1312]: @[164.138.210.56]: -ERR POP EOF received Okay, that could be something. That address belongs to France Telecom. Do you have anyone there who regularly checks mail on your system? The EOF may point to someone trying exploit your popper (which IS VULNERABLE -- UPGRADE NOW!!) Doug White | University of Oregon Internet: dwhite@resnet.uoregon.edu | Residence Networking Assistant http://gladstone.uoregon.edu/~dwhite | Computer Science Major To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.00.9808071408370.15104-100000>