Bugtraq mailing list archives

Re: IRIX 6.2 passwordless accounts exploit?

From: morex () NIRVANA NET (morex .-)
Date: Mon, 28 Sep 1998 19:18:25 -0400


I believe the script that they're using is called mscan (mass scan) and it
can be found on rootshell . I have had alot of shell users / kids running
this.

morex .-
http://morex.net
http://www.worldnetworks.net


On Mon, 28 Sep 1998, Dan Stromberg wrote:

We've had a lot of script kiddies running an exploit against our campus,
that checks for accounts that are passwordless by default in IRIX 6.2 -
like 4Dgifts, EZsetup, and so on.  I've seen indications this isn't
limited to our campus...

This script has been generating hoardes of syslog entries like:

Sep 27 12:43:19 foo.bar login[16310]: failed: ?@warble.frob as 4Dgifts

Amusingly, our suns, decs and linux machines run a fake tcpmux, so we
have lots of somewhat clueless kiddies checking for this vulnerability
on machines of the wrong OS :).

Anyway, can anyone make this exploit available, so I don't need to
reinvent the wheel in order to check for this myself?  It'd probably be
easy in python, but it'd be nice to have "the real thing", the script
the kiddies are using themselves.

I checked rootshell.com, queried for sgi and 4Dgifts, but nothing
relevant popped up.

I know, if I "were a white hat" I could check /etc/passwd (or
/etc/shadow) myself.  It's complicated.  And I am a white hat.  Besides,
the list is full disclosure.

Current thread:

IRIX On-Line Customer Registration Vulnerabilities, (continued)
- - - IRIX On-Line Customer Registration Vulnerabilities SGI Security Coordinator (Sep 29)
    - IRIX mail(1)/rmail(1M)/sendmail(1M) Security Vulnerabilities SGI Security Coordinator (Sep 29)
    - Re: rpc.mountd vulnerabilities Olaf Kirch (Sep 30)
    - ISS Security Advisory: Snork X-Force (Sep 29)
    - Re: mountd- more info (sorry) John Caldwell (Sep 29)
    - Re: mountd- more info (sorry) Anthony C. Zboralski (Sep 30)
    - more rpc.mountd jason valentine (Sep 30)
    - Netscape Cache Exploit - source code Ken Williams (Sep 29)
    - Re: IRIX 6.2 passwordless accounts exploit? Kevin Hawkins (Sep 30)
    - Sun Security Bulletin #00176 joshua grubman (Sep 30)
    - Re: IRIX 6.2 passwordless accounts exploit? morex .- (Sep 28)
    - mountd remote exploit? John Caldwell (Sep 28)
    - Re: mountd remote exploit? morex .- (Sep 28)
    - Re: IRIX 6.2 passwordless accounts exploit? Charl Botha (Sep 29)
    - Re: IRIX 6.2 passwordless accounts exploit? Renaud Deraison (Sep 29)
    - rpc.mountd exploit Hudin Lucian (Sep 29)