From owner-freebsd-questions Mon Jun 28 4:46:34 1999 Delivered-To: freebsd-questions@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id AEA7114E21; Mon, 28 Jun 1999 04:46:14 -0700 (PDT) (envelope-from des@flood.ping.uio.no) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.1) id NAA80856; Mon, 28 Jun 1999 13:44:53 +0200 (CEST) (envelope-from des) To: Keith Anderson Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Whats going on please References: From: Dag-Erling Smorgrav Date: 28 Jun 1999 13:44:52 +0200 In-Reply-To: Keith Anderson's message of "Sun, 27 Jun 1999 19:29:12 +1000 (EST)" Message-ID: Lines: 39 X-Mailer: Gnus v5.5/Emacs 19.34 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Keith Anderson writes: > > root@137~#uname -a > FreeBSD 137.132.85.96 3.1-RELEASE FreeBSD 3.1-RELEASE #3: Wed Mar 31 14:59:17 > EST 1999 keith@work.xxx.com.au:/usr/src/sys/compile/WORK i386 > > > what is the '137.132.85.96' or who It's the machine's hostname. Try typing 'hostname' or 'sysctl -n kern.hostname' and see what it returns. BTW, this IP address belongs to compl-r4.iscs.nus.sg, which seems to be your attacker. My guess is that you typed 'hostname 137.132.85.96' instead of 'host 137.132.85.96' trying to look up the IP address. I can't see any reason for the attacker to change your hostname to his IP address. > Jun 27 19:13:41 work sshd[3005]: fatal: Local: Sorry, you are not allowed to > connect. > Jun 27 19:18:24 work telnetd[3014]: refused connect from compl-r4.iscs.nus.sg > Jun 27 19:18:26 work telnetd[3015]: refused connect from compl-r4.iscs.nus.sg Looks like a 'known services' scan turned down by TCP wrappers. > Jun 27 17:06:59 work popper[1550]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 17:07:00 work popper[1552]: @compl-r4.iscs.nus.sg: -ERR POP EOF received > Jun 27 17:07:03 work popper[1553]: @compl-r4.iscs.nus.sg: -ERR POP EOF received He tried to exploit your POP server. Doesn't seem like he succeeded, but I can't tell for sure. Call the National University of Singapore (+65 8748026) and complain. Don't email or fax; calling them voice forces them to take a decision there and then, whereas email and faxes can be blackholed or answered with form letters. DES -- Dag-Erling Smorgrav - des@flood.ping.uio.no To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message