|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: lots of interest in port 109 (POP2)
From: Donald McLachlan (don
MAINFRAME.DGRC.CRC.CA)Date: Tue Mar 07 2000 - 09:03:18 CST
- Next message: Donald McLachlan: "Re: web related oddity"
- Previous message: George: "UDP flood 28001-28003"
- Maybe in reply to: Russell Fulton: "lots of interest in port 109 (POP2)"
- Next in thread: Paul Rice: "Re: lots of interest in port 109 (POP2)"
- Next in thread: Pavel Kankovsky: "Re: lots of interest in port 109 (POP2)"
- Maybe reply: Donald McLachlan: "Re: lots of interest in port 109 (POP2)"
- Reply: Paul Rice: "Re: lots of interest in port 109 (POP2)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
The same sort of activity has been seen on the GIAC at www.sans.org.
My guess is it might not be POP2 they are looking for, but "b00ger"
as per the post to this list last month.
Don
> From owner-incidentsSECURITYFOCUS.COM Wed Feb 23 11:51 EST 2000
> Approved-By: aleph1SECURITYFOCUS.COM
> Delivered-To: incidentslists.securityfocus.com
> Delivered-To: incidentsSECURITYFOCUS.COM
> X-Mailer: ELM [version 2.4 PL25]
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Date: Tue, 22 Feb 2000 21:32:32 -0500
> Reply-To: Philip Champon <pchamponGONK.VALUEWEB.NET>
> Sender: Incidents Mailing List <INCIDENTSSECURITYFOCUS.COM>
> From: Philip Champon <pchamponGONK.VALUEWEB.NET>
> Subject: rooted
> X-To: incidentsSECURITYFOCUS.COM
> To: INCIDENTSSECURITYFOCUS.COM
>
> Today I was notified via email that a machine of ours was compromised. He
> told us that he gained access through UltimateBB (of recent fame and chatter
> on butraq) then used crontab (he said that he thought that was what he used)
> to obtain a root shell. He also told us that he replaced our sshd binary.
>
> RedHat (kernel 2.2.12-6.2smp) 6.1 was the OS and cron version is 2.4 and ubb
> was the freeware version off their site http://www.ultimatebb.com.
>
> In poking around that server we also found b00ger-rpc listed in inetd.conf
> and running as pop2 ??? (Does b00ger take anything other than stdin?),
> something in tmp called jrnt1.2 and broadscan.
>
> If anyone has anymore info on anything listed here (exploits etc) I am
> all too happy to hear from you. Can anyone refute his claims of using
> crontab to get root, we were pretty sure that this cron version OS release
> were free from any exploit issues. Even the use of ultimatebb seems strange
> since as I understood it, the insecurities were regarding executing code as the
> user and even reading the passwd file, not actually obtaining shell access.
>
> thanks,
> Phil Champon
> Systems Administrator NOC, Valueweb
- Next message: Donald McLachlan: "Re: web related oddity"
- Previous message: George: "UDP flood 28001-28003"
- Maybe in reply to: Russell Fulton: "lots of interest in port 109 (POP2)"
- Next in thread: Paul Rice: "Re: lots of interest in port 109 (POP2)"
- Next in thread: Pavel Kankovsky: "Re: lots of interest in port 109 (POP2)"
- Maybe reply: Donald McLachlan: "Re: lots of interest in port 109 (POP2)"
- Reply: Paul Rice: "Re: lots of interest in port 109 (POP2)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]