Date: Thu, 30 Jul 1998 00:38:49 +0800 From: Peter Wemm <peter@netplex.com.au> To: "Jan B. Koum " <jkb@best.com> Cc: Show Boat <showboat@hotmail.com>, security@FreeBSD.ORG Subject: Re: Post qpopper trauma Message-ID: <199807291638.AAA02315@spinner.netplex.com.au> In-Reply-To: Your message of "Tue, 28 Jul 1998 15:05:45 MST." <Pine.BSF.3.96.980728145822.23995E-100000@shell6.ba.best.com>
next in thread | previous in thread | raw e-mail | index | archive | help
"Jan B. Koum " wrote:
[..]
> >That it is popper scares me. The time frame is appropriate, as the
> >eggdrop was launched in the 7pm hour of Jul 24.
>
> As jkh said at one point: it is qpopper source which should scare
> you. :)
That's nothing.. Look at the cucipop source... :-]
I dare anybody to figure out why it's miscounting the message byte lengths
from the mailbox in under 5 minutes without tracing the flow of execution..
The cucipop code truely has to be seen to be believed...... eg:
=======
}
}
;{ int namelen=sizeof peername;
if(getpeername(fileno(sockin),(struct sockaddr*)&peername,&namelen)&&
!debug&&(errno==ENOTSOCK||errno==EINVAL))
{ int serverfd,curfd;
signal(SIGHUP,SIG_IGN);signal(SIGPIPE,SIG_IGN);fclose(stdin);
fclose(stdout);serverfd=socket(AF_INET,SOCK_STREAM,TCP_PROT);
peername.sin_family=AF_INET;peername.sin_addr.s_addr=INADDR_ANY;
peername.sin_port=htons(port);curfd=-1;
setsockopt(serverfd,SOL_SOCKET,SO_REUSEADDR,&curfd,sizeof curfd);
if(bind(serverfd,(struct sockaddr*)&peername,sizeof peername))
=======
I've heard 'you can write fortran code in any language'.. I suspect this
is C written by an assembler programmer. The handcrafted optimization
reminds me of dark periods in my past of trying to save every last clock
cycle and/or byte of memory.
However, I feel a lot more confident about the safety of cucipop than
qpopper..
> >I've looked through the 'last' log extensively. Again, nothing I cannot
> >account for. Anyone with potential root access (sudo) logged from an IP
> >I can account for.
>
> Unless you have a syslog daemon log to another SECURE host, you
> have no idea if your logs have been modified by an attackers.
If you are running named, check that you've got 4.9.7 or later..
I've seen a couple of script tools now that specifically scan for the
old vulnerable named on freebsd systems.
Have a good look at places like www.rootshell.com and use their stuff on
your system to see what can get in.. You might be suprised what old stuff
you have around that's been forgotten about.
Cheers,
-Peter
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807291638.AAA02315>