Date: Wed, 19 May 1999 09:35:39 +0930 (CST) From: Kris Kennaway <kkennawa@physics.adelaide.edu.au> To: Keith Stevenson <k.stevenson@louisville.edu> Cc: freebsd-security@freebsd.org Subject: Re: Interesting Attack Message-ID: <Pine.OSF.4.10.9905190933020.11105-100000@bragg> In-Reply-To: <19990518085043.A6970@homer.louisville.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 18 May 1999, Keith Stevenson wrote: > We just had a Linux box fall victim to the WuFTPD/realpath(3) exploit. The > cracker installed a slew of IRC tools, a sniffer, and a scanner which behaved > very similarly to what you described. Thankfully it was on a switched network > which limited the damage done by the sniffer, and the script-kiddie who broke > in neglected to install the trojans included in his root-kit. This made the > ircd very easy to find once the Linux-user noticed that his system load was > awfully high. > > Anyway, since this thing had "root-kit" written all over it, it wouldn't > surprise me in the slightest if there are lots of broken linux boxen on the > internet running these scans. I thought of that too in my case, but port-scanning some of the originating boxes showed no common threads other than they were all running IRC daemons. nmap reported a wide range of OSes, too (including a lot of BSDs), and from correspondence with the admins they showed nothing out of the ordinary on their systems.. Kris > Regards, > --Keith Stevenson-- > > -- > Keith Stevenson > System Programmer - Data Center Services - University of Louisville > k.stevenson@louisville.edu > PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ----- "That suit's sharper than a page of Oscar Wilde witticisms that's been rolled up into a point, sprinkled with lemon juice and jabbed into someone's eye" "Wow, that's sharp!" - Ace Rimmer and the Cat, _Red Dwarf_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.9905190933020.11105-100000>