Security Incidents mailing list archives
Re: /tmp/bob on compromised system
From: Rob McCauley <robmccau () RADONC DUKE EDU>
Date: Tue, 25 Jul 2000 16:49:15 -0400
More generically, /tmp/bob is an inetd.conf file inserted through the use of some generic exploit. The intruder overflows a buffer and causes commands which create the one line /tmp/bob and execute an inetd with /tmp/bob specified as the configuration file. /tmp/bob directs that connections to some port be passed off to /bin/sh giving a root shell on that port. This is cut and paste stuff, so it doesn't have to be rpc.statd (I think), and it doesn't have to be any specific port (definite). I've personally seen ingreslock and pcserver. Used, I believe, to overflow rpc.cmsd. With a copy of the script you could presumably make it whatever you like. Rob
Current thread:
- /tmp/bob on compromised system Russell Fulton (Jul 24)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 25)
- Protect rpc.statd by tcp wrapper? (was Re: /tmp/bob on compromised system Ralf G. R. Bergs (Jul 27)
- Re: /tmp/bob on compromised system Joseph Pingenot (Jul 25)
- Re: /tmp/bob on compromised system Fredrik Ostergren (Jul 26)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 27)
- <Possible follow-ups>
- Re: /tmp/bob on compromised system Matt Merhar (Jul 25)
- Re: /tmp/bob on compromised system Security (Jul 26)
- Re: /tmp/bob on compromised system Adam Pendleton (Jul 25)
- Re: /tmp/bob on compromised system Rob McCauley (Jul 26)
- Re: /tmp/bob on compromised system Granquist, Lamont (Jul 27)
- Re: /tmp/bob on compromised system Russell Fulton (Jul 28)
- Re: /tmp/bob on compromised system Rob McCauley (Jul 26)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 25)
- Re: /tmp/bob on compromised system Jens Oeser (Jul 25)
- Re: /tmp/bob on compromised system Lynch Sean (Jul 26)