On 12/16/97, Andrew Brown wrote:

> >You're not running pine setuid, are you?
>
> gak!  i hate to think...

No, I don't run pine at all. I run elm sgid mail, where mail is a group
that simply owns /var/mail, but that's it.

The thing to note here that makes it unlikely that it was an automated
process trying to do something is the message that immediately preceeded
the one that's getting all the attention. Here they both are again:

Dec 14 22:43:28 acheron sendmail[1464]: NOQUEUE: SYSERR: putoutmsg
(user844.theonramp.net): error on output channel sending "220
acheron.middleboro.ma.us ESMTP Sendmail 8.8.8/8.8.7; Sun, 14 Dec 1997
22:43:28 -0500 (EST)": Broken pipe
Dec 14 22:43:28 acheron sendmail[1464]: NOQUEUE: Null connection from
root@localhost

Both messages occured during the same *second*. This may be coincidence,
but it seems really unlikely, since I never receive sendmail connections
from the outside world - I send and receive everything through uucp, over a
part-time dynamic ppp account.

A friend of mine was here, essentially sitting next to me, on the console,
and he was mudding. (I know he didn't have anything direct to do with the
sendmail thing, as I saw what was on his screen, and he was engrossed with
the mud.) What I *suspect* is that someone on his mud saw where he was
coming from, and decided to check it out. I saw the message on the console
right after it happened, and while I could ping the machine listed in the
message, crawling up the ports gave me no information, as either the
machine's running something other than Unix, or it's tightly bolted down,
much like mine will be pretty soon. :)

The only spot I can imagine that might have contained a vulnerability was
the client my friend was running - tintin++. It seems reasonable that if
there's a hole in it, someone seeing a connection from a mud where it's a
common means of connecting might be able to exploit the bug. Here's the
trick, though... The program was compiled and installed in my friend's home
directory, all using his processes. Root never became involved. The only
thing I can think of is that someone could have broken into my friend's
account and obtained root from there, but I didn't notice anything
suggesting that from the logs.

I think one solution I'm definitely going to implement is to snag a copy of
tcpwrappers and make just about everything available only to my local
network. That would be a start, anyway. Nothing ever needs to initiate a
connection from the outside world, and I feel that I can safely,
universally, and unashamedly ban connections from theonramp.net. :)

Later...

--
Mason Loring Bliss...mason@acheron.middleboro.ma.us...www.webtrek.com/mason
"In the drowsy dark cave of the mind dreams build their nest with fragments
 dropped from day's caravan."--Rabindranath Tagore...awake ? sleep : dream;