Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sadmind hack?

From: OFriedrichs () SECURITY-FOCUS COM (Oliver Friedrichs)
Date: Thu, 13 Apr 2000 15:50:48 -0700

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Looks like someone _attempted_ to exploit the rpc.sadmind overflow
bug on your system - see http://www.securityfocus.com/bid/866.  Those
log entries indicate that at least those attempts failed, probably
due to the machine code in the buffer being misaligned, causing the
Bus Error.  It's possible that further attempts were successful, it's
also possible they failed.  I would assume they were successful
without knowing much more, and that they compromised root on your
system.

Oliver Friedrichs
securityfocus.com


-----Original Message-----
From: Yip Chan Keong [mailto:ckyip () SINGAREN NET SG]
Sent: Wednesday, April 12, 2000 11:13 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: sadmind hack?


I have gotten the following messages in my /var/adm/messages
file on my
solaris 2.6 host. is it a sign of break in? telnet and ftp on
my host are
limited by tcp wrappers. any idea how is the exploit made?

Apr 12 06:43:34 xxxx inetd[138]: /usr/sbin/sadmind: Bus Error
- core dumped
Apr 12 06:43:36 xxxx inetd[138]: /usr/sbin/sadmind:
Segmentation Fault - core
 dumped
Apr 12 06:43:39 xxxx inetd[138]: /usr/sbin/sadmind: Bus Error
- core dumped
Apr 12 06:43:41 xxxx inetd[138]: /usr/sbin/sadmind:
Segmentation Fault - core
 dumped
Apr 12 06:43:44 xxxx inetd[138]: /usr/sbin/sadmind: Hangup

many thanks and regards,
/yck



-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>

iQA/AwUBOPZNcsm4FXxxREdXEQIYwgCZASWXU6f6YtTu15nxJvA3J46IbdIAn22l
kM1vZZOZd1quQO3xwnbtgi/k
=oLNy
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: