nanog mailing list archives

Re: Exodus: this is bad

From: "Alex P. Rudnev" <alex () Relcom EU net>
Date: Thu, 19 Nov 1998 14:40:58 +0300 (MSK)

Not only...

But there is a lot of brainless schoolboys who are trying to use just 
this 'imapd' exploit and (due to the number of them) trojaned a lot of 
computers over the world. It's amazing but I saw few times the stack of 
trojans installed one over another.

To be correct, there is a lot of _really used_ ways to broke the system. 
The best (and easiest) was 'imapd' and 'qpopper' exploits (you simple run 
scanner and it detects this services, then you run exploit and it reports 
_you are root, go on_, then you ftp 'lrk3' or 'lrkb' or 'root_toolkit' 
and install it.

Other way is to use sniffered accounts for the user access, and they you 
have a lot of exploits to get root; the most popular are 'lprm' and 'X11' 
exploits for linux, loadmodule and ufsrestore for Solaris and SunOS.

If you had not this security holes, it does not mean you was broken, but 
your chance to be brocen decreases from 30% (for linux with IMAPD) to 1 - 
2 % (for other holes).

I am not sure about BIND but I saw bind scanning and some logs looked 
like:

 
 ns.xxx.yyy volurentable
 ....
 ns.zz.ww not volurentable

and I suspect someone have tried to use BIND's bugs  too.


 On 18 Nov 1998, Michael Shields wrote:

Date: 18 Nov 1998 21:25:18 +0000
From: Michael Shields <shields () msrl com>
To: "Steven J. Sobol" <sjsobol () nacs net>
Cc: "Alex P. Rudnev" <alex () Relcom EU net>,
    Richard Irving <rirving () onecall net>,
    Jared Mauch <jared () puck nether net>,
    Adam Rothschild <asr () millburn net>, list () inet-access net,
    nanog () merit edu
Subject: Re: Exodus: this is bad

In article <19981118150133.28606 () shell nacs net>,
"Steven J. Sobol" <sjsobol () nacs net> wrote:

On Tue, Nov 17, 1998 at 02:14:53PM +0300, Alex P. Rudnev wrote:

Folks. All (ALL) Linux-based NS servers


even running bind 8.1.2?


Yes, if, as his message continued in the part deleted, you are running
an unpatched imapd on the same machine.
-- 
Shields.


Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)

Current thread:

Re: Exodus: this is bad, (continued)
- - - Re: Exodus: this is bad Alex P. Rudnev (Nov 17)
    - Re: Exodus: this is bad Rob Walker (Nov 17)
    - Re: Exodus: this is bad Greg Retkowski (Nov 17)
    - Re: Troyans - this is bad alex (Nov 17)
    - Re: Exodus: this is bad Lon R. Stockton, Jr. (Nov 17)
    - Re: Exodus: this is bad Roeland M.J. Meyer (Nov 16)
    - Re: Exodus: this is bad Alex P. Rudnev (Nov 17)
    - Re: Exodus: this is bad Steven J. Sobol (Nov 18)
    - Re: Exodus: this is bad Jared Mauch (Nov 18)
    - Re: Exodus: this is bad Michael Shields (Nov 18)
    - Re: Exodus: this is bad Alex P. Rudnev (Nov 19)
  - Re: Exodus: this is bad Robert C. Henney (Nov 16)
    - Re: Exodus: this is bad Takkala (Nov 16)
- RE: Exodus: this is bad Chris Mauritz (Nov 16)
- Re: Exodus: this is bad Kevin Houle (Nov 17)