From owner-freebsd-questions  Sun Sep 30 16: 2:10 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from obsecurity.dyndns.org (adsl-63-207-60-153.dsl.lsan03.pacbell.net [63.207.60.153])
	by hub.freebsd.org (Postfix) with ESMTP
	id 2F65637B40B; Sun, 30 Sep 2001 16:02:04 -0700 (PDT)
Received: by obsecurity.dyndns.org (Postfix, from userid 1000)
	id C85C066D0E; Sun, 30 Sep 2001 16:02:03 -0700 (PDT)
Date: Sun, 30 Sep 2001 16:02:03 -0700
From: Kris Kennaway <kris@obsecurity.org>
To: Jason <jason@jason-n3xt.org>
Cc: freebsd-questions@FreeBSD.ORG,
	"questions@freebsd.org" <questions@FreeBSD.ORG>
Subject: Re: I was rooted using telnet
Message-ID: <20010930160203.A43149@xor.obsecurity.org>
References: <20010930101201.C98775@acadia.ne.mediaone.net> <Pine.BSF.4.21.0109302239160.10365-100000@jason-n3xt.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
	protocol="application/pgp-signature"; boundary="6c2NcOVqGQ03X4Wi"
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <Pine.BSF.4.21.0109302239160.10365-100000@jason-n3xt.org>; from jason@jason-n3xt.org on Sun, Sep 30, 2001 at 10:43:24PM +0000
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


--6c2NcOVqGQ03X4Wi
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sun, Sep 30, 2001 at 10:43:24PM +0000, Jason wrote:
> Yes I did see it on my daily reports AFTER it happened.  They only had
> approx 4-5 hours on my box.  Between the time I went to bed and woke
> up.  When I get up and get to my box the frist thing I do is check to see
> who is on.  I saw to unauthoried users (1 and 11).  One of them was
> running a BNC for irc and the other was just idle.  There were 2 other
> users created as well (tmp and asaf).  I immediatly killall'ed them,
> turned off telnet in inetd.conf and added the telnet port to my firewall.
>=20
> I have since examined the contents of their home dirs they created.  The
> did in fact use a buffer overflow exploit.  A couple of people have
> requested it.. once I have time (I have a lot going on at work) I'll send
> the code and compiled script to the reputable requesters.

Please send it to security-officer@FreeBSD.org.  We aren't aware of
any outstanding vulnerabilities in telnetd.  Perhaps that wasn't
actually the route they used to get into the system, or perhaps
there's something else at work here.

Kris

--6c2NcOVqGQ03X4Wi
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE7t6RrWry0BWjoQKURAoYlAJ4z90JwofuSYSvU5tfn2a4ueXMRQgCcDRIW
MUQE0lgza/+N1B7oxY8jf8g=
=5Fni
-----END PGP SIGNATURE-----

--6c2NcOVqGQ03X4Wi--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message