Security Incidents mailing list archives

Re: lots of interest in port 109 (POP2)

From: don () MAINFRAME DGRC CRC CA (Donald McLachlan)
Date: Tue, 7 Mar 2000 10:03:18 -0500


The same sort of activity has been seen on the GIAC at www.sans.org.

My guess is it might not be POP2 they are looking for, but "b00ger"
as per the post to this list last month.

Don

From owner-incidents () SECURITYFOCUS COM Wed Feb 23 11:51 EST 2000
Approved-By: aleph1 () SECURITYFOCUS COM
Delivered-To: incidents () lists securityfocus com
Delivered-To: incidents () SECURITYFOCUS COM
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Date:         Tue, 22 Feb 2000 21:32:32 -0500
Reply-To: Philip Champon <pchampon () GONK VALUEWEB NET>
Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM>
From: Philip Champon <pchampon () GONK VALUEWEB NET>
Subject:      rooted
X-To:         incidents () SECURITYFOCUS COM
To: INCIDENTS () SECURITYFOCUS COM

Today I was notified via email that a machine of ours was compromised. He
told us that he gained access through UltimateBB (of recent fame and chatter
on butraq) then used crontab (he said that he thought that was what he used)
to obtain a root shell. He also told us that he replaced our sshd binary.

RedHat (kernel 2.2.12-6.2smp) 6.1 was the OS and cron version is 2.4 and ubb
was the freeware version off their site http://www.ultimatebb.com.

In poking around that server we also found b00ger-rpc listed in inetd.conf
and running as pop2 ??? (Does b00ger take anything other than stdin?),
something in tmp called jrnt1.2 and broadscan.

If anyone has anymore info on anything listed here (exploits etc) I am
all too happy to hear from you. Can anyone refute his claims of using
crontab to get root, we were pretty sure that this cron version OS release
were free from any exploit issues.  Even the use of ultimatebb seems strange
since as I understood it, the insecurities were regarding executing code as the
user and even reading the passwd file, not actually obtaining shell access.

thanks,
Phil Champon
Systems Administrator NOC, Valueweb

Current thread:

Re: Linux-box hacked, ls, ps, login modified, (continued)
- - - Re: Linux-box hacked, ls, ps, login modified Rick Tait (Mar 22)
    - Re: Linux-box hacked, ls, ps, login modified Granquist, Lamont (Mar 24)
    - 'fatal:' sshd log message Przemyslaw Frasunek (Mar 25)
    - sgi-dgl scanning Michael Stone (Mar 27)
    - unusual mail file Donald McLachlan (Mar 28)
    - Re: unusual mail file Ryan Hilton (Mar 28)
    - Front Page Extensions vventura () SIA PT (Mar 28)
    - Re: sgi-dgl scanning E. Larry Lidz (Mar 28)
    - Syn attacks ? Klavs Klavsen (Mar 28)
    - Re: lots of interest in port 109 (POP2) markus tromday (Mar 22)
- Re: lots of interest in port 109 (POP2) Donald McLachlan (Mar 07)
  - Re: lots of interest in port 109 (POP2) Paul Rice (Mar 13)
  - Munged Napster Sessions Stephen P. Berry (Mar 13)
    - Looking for Squid Proxies Cy Schubert - ITSD Open Systems Group (Mar 16)
    - Re: Munged Napster Sessions Vanja Hrustic (Mar 16)
    - Port 6112 Stuart Staniford-Chen (Mar 17)
    - Re: Port 6112 Robert Graham (Mar 20)
    - Re: Port 6112 Stuart Staniford-Chen (Mar 20)
    - nbname scans Rick Tortorella (Mar 20)
    - Port 27960 Stuart Staniford-Chen (Mar 17)
    - Re: Port 27960 steve balla (Mar 20)

(Thread continues...)