Date: Sun, 5 Jul 1998 10:14:58 +0100 (BST)
From: Scot Elliott <scot@planet-three.com.>
To: [email protected], [email protected]Subject: Security Alert: Qualcomm POP Server
Morning all.
I caught someone last night with a root shell on our mail server. I
traced it back to somewhere in the US, but unfortunately got locked out
and the log files removed before I had time to fix it ;-(
I shut the machine down remotely by mounting /usr over NFS and changing
/usr/libexec/atrun to a shell script that run /sbin/shutdown (near huh?
;-)
Anyway - the point is that is looks like some kind of buffer overflow in
the POP daemon that ships with FreeBSD 2.2.6. I noticed lots of ^P^P^P...
messages from popper in the log file before it was removed. There was an
extra line in /etc/inetd.conf which ran a shell as root on some port I
wasn't using (talk I think). So I'm guessing that the exploit allows
anyone to run any command as root. Nice. Whomever it was was having a
whale of a time with my C compiler for some reason... very dodgy.
If I can find out the source of this then I'd like to follow it up. Does
anyone have experience of chasing this sort of thing from across the US
border? Also, of course, everyone should check their popper version.
Cheers
Yours - Scot.
-----------------------------------------------------------------------------
Scot Elliott ([email protected], [email protected]) | Work: +44 (0)171 7046777
PGP fingerprint: FCAE9ED3A234FEB59F8C7F9DDD112D | Home: +44 (0)181 8961019
-----------------------------------------------------------------------------
Public key available by finger at: finger [email protected]
or at: http://www.poptart.org/pgpkey.html
To Unsubscribe: send mail to [email protected]
with "unsubscribe security" in the body of the message