Security Incidents mailing list archives

Re: LPRng remote root exploit seen in the wild

From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Mon, 27 Nov 2000 11:13:49 +1300

On Wed, 22 Nov 2000 16:51:30 -0500 Matt Power
<mhpower () BOS BINDVIEW COM> wrote:

On November 19, a Red Hat 7.0 i386 Linux system was found to be root
compromised, with the lpd from the LPRng-3.6.22-5 package as the
apparent point of entry. Specifically, it is thought that the
intruder had possession of a remote-root exploit program for the LPRng
vulnerability described at

  http://www.redhat.com/support/errata/RHSA-2000-065-06.html


Just to add to this head up.  We saw three major scans for port 515
over the weekend (and one about 10 days ago).  All scans probed many
thousands of addresses in our /16 address space (one probed every one).

Cheers, Russell

Russell Fulton, Computer and Network Security Officer.
The University of Auckland, New Zealand.

Current thread:

LPRng remote root exploit seen in the wild Matt Power (Nov 24)
- Re: LPRng remote root exploit seen in the wild Russell Fulton (Nov 28)
- <Possible follow-ups>
- Re: LPRng remote root exploit seen in the wild Jens Hektor (Nov 29)