Security Incidents mailing list archives
Re: lots of interest in port 109 (POP2)
From: don () MAINFRAME DGRC CRC CA (Donald McLachlan)
Date: Tue, 7 Mar 2000 10:03:18 -0500
The same sort of activity has been seen on the GIAC at www.sans.org. My guess is it might not be POP2 they are looking for, but "b00ger" as per the post to this list last month. Don
From owner-incidents () SECURITYFOCUS COM Wed Feb 23 11:51 EST 2000 Approved-By: aleph1 () SECURITYFOCUS COM Delivered-To: incidents () lists securityfocus com Delivered-To: incidents () SECURITYFOCUS COM X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Date: Tue, 22 Feb 2000 21:32:32 -0500 Reply-To: Philip Champon <pchampon () GONK VALUEWEB NET> Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM> From: Philip Champon <pchampon () GONK VALUEWEB NET> Subject: rooted X-To: incidents () SECURITYFOCUS COM To: INCIDENTS () SECURITYFOCUS COM Today I was notified via email that a machine of ours was compromised. He told us that he gained access through UltimateBB (of recent fame and chatter on butraq) then used crontab (he said that he thought that was what he used) to obtain a root shell. He also told us that he replaced our sshd binary. RedHat (kernel 2.2.12-6.2smp) 6.1 was the OS and cron version is 2.4 and ubb was the freeware version off their site http://www.ultimatebb.com. In poking around that server we also found b00ger-rpc listed in inetd.conf and running as pop2 ??? (Does b00ger take anything other than stdin?), something in tmp called jrnt1.2 and broadscan. If anyone has anymore info on anything listed here (exploits etc) I am all too happy to hear from you. Can anyone refute his claims of using crontab to get root, we were pretty sure that this cron version OS release were free from any exploit issues. Even the use of ultimatebb seems strange since as I understood it, the insecurities were regarding executing code as the user and even reading the passwd file, not actually obtaining shell access. thanks, Phil Champon Systems Administrator NOC, Valueweb
Current thread:
- Re: Linux-box hacked, ls, ps, login modified, (continued)
- Re: Linux-box hacked, ls, ps, login modified Rick Tait (Mar 22)
- Re: Linux-box hacked, ls, ps, login modified Granquist, Lamont (Mar 24)
- 'fatal:' sshd log message Przemyslaw Frasunek (Mar 25)
- sgi-dgl scanning Michael Stone (Mar 27)
- unusual mail file Donald McLachlan (Mar 28)
- Re: unusual mail file Ryan Hilton (Mar 28)
- Front Page Extensions vventura () SIA PT (Mar 28)
- Re: sgi-dgl scanning E. Larry Lidz (Mar 28)
- Syn attacks ? Klavs Klavsen (Mar 28)
- Re: lots of interest in port 109 (POP2) markus tromday (Mar 22)
- Re: lots of interest in port 109 (POP2) Paul Rice (Mar 13)
- Munged Napster Sessions Stephen P. Berry (Mar 13)
- Looking for Squid Proxies Cy Schubert - ITSD Open Systems Group (Mar 16)
- Re: Munged Napster Sessions Vanja Hrustic (Mar 16)
- Port 6112 Stuart Staniford-Chen (Mar 17)
- Re: Port 6112 Robert Graham (Mar 20)
- Re: Port 6112 Stuart Staniford-Chen (Mar 20)
- nbname scans Rick Tortorella (Mar 20)