Security Digest Volume 3 Issue 3 subject(s): an oddity with miners@ghost.unimi.it probes TIOCCONS Sunos bug fix available The unix security mailing list is by invitation only and contains sensitive material which SHOULD NOT BE REVEALED to non-members. DO NOT PUT ANY LIST CONTENTS IN LOCATIONS ACCESSABLE TO NON-MEMBERS. If you must keep copies on-line, please encrypt them at the very least. PLEASE POST TO: security@uninet.cpd.com PLEASE SEND EMERGENCY ALERTS TO: security-emergency@uninet.cpd.com PLEASE SEND REQUESTS TO: security-request@uninet.cpd.com Postings that describe security holes/fixes have a * in their subject. ------------------------------------------------------------------------ Date: Sun, 16 Dec 90 03:32:47 -0500 From: der Mouse Subject: an oddity with miners@ghost.unimi.it probes I noticed a couple of odd things about the miners@ghost.unimi.it probes and followup letter which I haven't seen mentioned so far, so it's possible I'm the only person to have noticed it.... >From our syslog, Dec 4 06:06:00 127.0.0.1 ftpd[29870]: anon login from 131.175.10.1 (imiucca.unimi.it) Dec 4 06:06:02 127.0.0.1 ftpd[29870]: anon cmd: CWD ~root Dec 4 06:06:06 127.0.0.1 ftpd[29870]: anon cmd: pass guest Dec 4 06:06:10 127.0.0.1 ftpd[29870]: anon cmd: PORT 131,175,10,1,188,179 Dec 4 06:06:12 127.0.0.1 ftpd[29870]: anon cmd: RETR /etc/motd (The attempt failed.) I noticed this when it happened (I was logged in at the time, and I get sent such syslog messages). I nearly sent out some sort of alert (like a letter to CERT), but didn't get around to it (I wasn't thinking of it as very high priority), until the letter from miners@ghost came in. Note first that the host the FTP came from was not ghost. Note second that the letter from miners@ghost was dated December 9th - whoever it was waited *five days* after failing to crack our ftp server before sending mail! Just in case either bit of information matters.... ------------------------------------------------------------------------ Date: Tue, 18 Dec 90 22:49:00 PST From: neil (Neil Gorsuch) Subject: TIOCCONS Sunos bug fix available [ Sun distributed this on a Sunos security distribution list that can be contacted at security-features@sun.com - neil ] } For those of you that have seen the recent exchange over the network } about the "TIOCCONS Bug", Sun has just finished creating and testing the } patch for it. } } It is available via your local Sun Answer Center. Please reference the } following when calling: } Sun Bug ID : 1008324 } Sun Patch ID : for SunOS 4.1, SunOS 4.1_PSR_A - 100187-01 } : for SunOS 4.1.1 - 100188-01 ------------------------------------------------------------------------ End of Security Digest Volume 3 Issue 3 **********************