-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
It appears you are running en exploitable version of imapd. If you
are actually using the IMAP protocol, update the daemon IMMEDIATELY.
If not, disable IMAP.
I cannot stress enough how important it is (security wise) to keep
your software up to date.........
Scott G. Danahy
- ----- Original Message -----
From:
Hi,
today in the early morning I had something like an attack on my linux system here. After the attack, I couldn't login as root any more. I found out, that it was not possible to set a password in the "shadow password system" any more. I can use only the "normal" password mechanism.
My log-files showed me some hints to the attacker (if it is any):
Sep 15 00:13:29 d64s_pattr imapd[16408]: connect from 134.102.152.136 Sep 15 00:13:29 d64s_pattr imapd[16409]: connect from 134.102.152.136 Sep 15 00:13:34 d64s_pattr imapd[16410]: connect from 134.102.152.136 Sep 15 00:13:38 d64s_pattr imapd[16411]: connect from 134.102.152.136 Sep 15 00:13:39 d64s_pattr imapd[16412]: connect from 134.102.152.136 Sep 15 00:14:59 d64s_pattr imapd[16413]: connect from root@155.207.113.137 Sep 15 00:17:12 d64s_pattr in.telnetd[16417]: connect from 24.95.241.60 Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com' Sep 15 00:17:23 d64s_pattr su: (to www) shizat on /dev/ttyp1 . . . Sep 15 06:53:14 d64s_pattr su: (to nobody) root on none
In my warn-file I found the following entry:
Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com'
How is such an attack possible and more important: how can I prevent such an intrusion?
I am using a SuSE Linux 5.2 with a 2.0.33 kernel
Thanks for your help in advance
Gerd
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use http://www.pgp.com iQA/AwUBN9+xs9CVCf10P+seEQIq7QCgp9HUR8OEhA/6lIILQDW/jHTzjZAAoNUU HTRXOedNgr/TgntHGBFxOF4d =F8te -----END PGP SIGNATURE-----