On Wed, 15 Sep 1999 15:42:05 +0200 gbruchhaus@makrolog.de writes:

Hi,

today in the early morning I had something like an attack on my linux system there <SNIP> My log-files showed me some hints to the attacker (if it is any):

...

Sep 15 00:13:29 d64s_pattr imapd[16408]: connect from 134.102.152.136 Sep 15 00:13:29 d64s_pattr imapd[16409]: connect from 134.102.152.136 Sep 15 00:13:34 d64s_pattr imapd[16410]: connect from 134.102.152.136 Sep 15 00:13:38 d64s_pattr imapd[16411]: connect from 134.102.152.136 Sep 15 00:13:39 d64s_pattr imapd[16412]: connect from 134.102.152.136 Sep 15 00:14:59 d64s_pattr imapd[16413]: connect from root@155.207.113.137 Sep 15 00:17:12 d64s_pattr in.telnetd[16417]: connect from 24.95.241.60 Sep 15 00:17:20 d64s_pattr login[16418]: no shadow password for `shizat' on `ttyp1' from `wintersprings-ubr-c4-60.cfl.rr.com' Sep 15 00:17:23 d64s_pattr su: (to www) shizat on /dev/ttyp1

How is such an attack possible and more important: how can I prevent such an intrusion?

I am using a SuSE Linux 5.2 with a 2.0.33 kernel

Thanks for your help in advance

Gerd

By all accounts it looks like you got compromised by imapd, which has had some pretty recent (recent enough to give imapd a bad reputation) exploits found against it. The best way to prevent an attack is to simply not run the service, or to make sure that you always update your networking programs. As to the methodology of the attack, it was probably a buffer overrun attack-- with a program tailored to your version of imapd, the cracker can break the security of the daemon and gain the temporary ability to issue root permission commands. Just enough to let him get back in to your box with a root account. There is one good thing, though: he's more than likely a script kiddie, since he seems to have forgotten to edit your logfiles for his breakin. More than likely, he picked your computer simply because it happened to be running a version of imap that a program he got off the net happens to crack. dan ___________________________________________________________________ Get the Internet just the way you want it. Free software, free e-mail, and free Internet access for a month! Try Juno Web: http://dl.www.juno.com/dynoget/tagj.