identd hole?

[blh () nol net (Brett L. Hawn)]

Lately I've heard rumours about this 'identd' hole in RFC1413, we've seen
this abused on IRC several times in recent days. Then today I had someone
claim they had the root password on my machine at home. So I telnetted in,
changed it and waited since he claimed he was going to hack it. Apparently
he did because I caught him with a login proccess which I promptly killed,
then being rather peeved I /kill'd him on irc. This apparently pissed him
off even more so he re-hacked my machine and brought it down, at this time
I'm not even sure if it's reviveable as I've not had a chance to check it,
all I know is that its dead in the water currently. Right after that I did a
netstat -n on the machine I was on at work. Voila.. there were about two
dozen connections from his IP (I checked) to my identd port (113). Now I'm
guessing that Solaris 2.5x86 doesn't have the same bug or I caught it in
time since I saw no adverse effects on that machine. The machine effected
(and killed) was a linux 2.0.0 machine, but I have heard of many other
machines of random type being effected in such a manner.

Aleph-1 mentioned that it might be a sendmail overrun bug if the connections
were to HIS ident port but they were not. All the same this bug is also news
to me (I'm fairly new to bugtraq) and I can only assume that this also has
been used in the past(?). MY current sendmail on *all* of my machines is
8.7.5 but I'm willing to bet that there are already hacks to that one as
well.

[-]                  Brett L. Hawn (blh () nol net)                           [-]
[-]                Networks On-Line - Houston, Texas                       [-]
[-]                           713-467-7100                                 [-]