system breach

jonathan michaels jlm at caamora.com.au
Fri Dec 29 19:39:33 PST 2006 

gareth

On Fri, Dec 29, 2006 at 10:54:36PM +0200, gareth wrote:
> On Fri 2006-12-29 (10:16), Jeremy Chadwick wrote:

with regards to you last post to me (personal) i had installed freebsd
v6.1-release and setup xwindows (both kde & gnome) desktop
environments, then left teh machine sit and settle.

the machine is a compaq proliant 5500 with 2 PIII Xeon 550/100 L2 Cache
off 1 mb . it has a 45 gb raid5 array (35 gb data/10 gb raid indexing
etc) this is built ontop of a SMART-2/P array controller with a pair od
symbiosis scsi3 host adapters.

the machine is sitting idle on a shelf while i get several dozen dlt-IV
tapes that i've ordered for the DLT-7000 scsi tape streamer so that i
can save teh image/filesystems to tape then scour the disks clean and
start again.

its got a dorectory in teh root fs and several othe files pepered all
over teh array and many endries in teh systems logs all started on or
about 22 november about 11 pm i think .. sorry the machine is running
something else at teh moment and its a bit too hard to get the relevent
details but if itis of any valu e to you or anyone-else i'd be happy to
run up freebsd v6.1-release and get teh details for you.

the compromise seems to be a sshd couple to a X11 subsystem sned out
pornography type of attack. as i told you earlier i've contacted
aus-cert and give tehm teh open port numbers which they confirmed as a
current local compromise thats been peretrated by several fellows in
china (mainland) hongkong and from indonesia as well, it is apparent
reasonably well know gang that is doing this, could be targeting anyone
with freebsd v6.1-release or more likely the version of kde/gnome that
installed with freebsd v6.1-release.

one thing to note that is freebsd warns after installation (that is
after teh first night time maintenance run) the security mail list 18
or so packages as being know to be compromiseable and or weak in that
respect. i didn't think much of it as i wasn't going to be using teh
machine, just let it run up as it was new (to me) its recycled from
another life and is some 10 years old (pretty new in my meuseum, big
grin)

if anyone else is interested in details i'd be happy to furnish details
off list

most kind regards

jonathan

also, best wishes for the coming new year and hope that you christmas
was happy holy safe and incident free.

-- 
================================================================
powered by ..
QNX, OS9 and freeBSD  --  http://caamora com au/operating system
==== === appropriate solution in an inappropriate world === ====

More information about the freebsd-stable mailing list