Security Incidents mailing list archives
Re: sendmail vunerability ?
From: secure () SECUREAUSTIN COM (H D Moore)
Date: Thu, 10 Feb 2000 10:31:53 -0600
Hi, Was LPD running on your system? Does anyone else have shell access to the machine? It looks like sendmail was used to facilitate a compromise that is based off a vulnerability in LPD. They may have used LPD to create create that .forward file (containing a pipe/etc) and then used sendmail to trigger the command. There were a could LPD vulnerabilitesposted to bugtraq over the last 6 months or so, take a look. -HD E Kelly Bond wrote:
I am running Redhat 6.1 with kern 2.2.12-20, and sendmail 8.9.3-15. I noticed the following in my syslog from last night: Jan 30 05:15:33 rudolph sendmail[27418]: FAA27418: from=<>, size=2938,class=0, pri=242938, nrcpts=8, msgid=<ZOKXFgOYpTbyc.UhyP xLP2r () mail localhost com>, proto=SMTP, relay=14-100.015.popsite.net[216.126.184.100] Jan 30 05:15:33 rudolph sendmail[27464]: FAA27418: forward/var/spool/mail/.forward.rudolph: Group writable directory Jan 30 05:15:33 rudolph sendmail[27464]: FAA27418: forward/var/spool/mail/.forward: Group writable directory Jan 30 05:15:36 rudolph sendmail[27452]: FAA27452: from=<>, size=2938,class=0, pri=242938, nrcpts=8, msgid=<my65UVbQoJG3c.sZYA FrpF1 () mail localhost com>, proto=SMTP, relay=14-100.015.popsite.net[216.126.184.100] Jan 30 05:15:36 rudolph sendmail[27490]: FAA27452: forward/var/spool/lpd/.forward.rudolph writable directory Jan 30 05:15:36 rudolphil[27490]: FAA27452: forward /var/spool/lpd/.forward:Group writable directory The ".forward" files were not there at 8 am when i checked the logs and saw the activity. Can sendmail be used to create arbitrary directories? K
Current thread:
- Re: a very strange scan, (continued)
- Re: a very strange scan Russell Fulton (Feb 10)
- Possible stacheldraht variant/probe Stephen P. Berry (Feb 09)
- Re: Possible stacheldraht variant/probe David Brumley (Feb 10)
- Re: [UPDATE]Dos Trojan on Solaris Robert Lau (Feb 09)
- Re: Strange traceroute Rob Quinn (Feb 08)
- vi as a suid Paulo Ribeiro (Feb 08)
- Re: Strange traceroute Troy Ablan (Feb 05)
- Re: Strange traceroute Hauke Johannknecht (Feb 08)
- sendmail vunerability ? E Kelly Bond (Feb 05)
- Re: sendmail vunerability ? CyberPsychotic (Feb 07)
- Re: sendmail vunerability ? H D Moore (Feb 10)