Security Incidents mailing list archives
Re: sadmind hack?
From: OFriedrichs () SECURITY-FOCUS COM (Oliver Friedrichs)
Date: Thu, 13 Apr 2000 15:50:48 -0700
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Looks like someone _attempted_ to exploit the rpc.sadmind overflow bug on your system - see http://www.securityfocus.com/bid/866. Those log entries indicate that at least those attempts failed, probably due to the machine code in the buffer being misaligned, causing the Bus Error. It's possible that further attempts were successful, it's also possible they failed. I would assume they were successful without knowing much more, and that they compromised root on your system. Oliver Friedrichs securityfocus.com
-----Original Message----- From: Yip Chan Keong [mailto:ckyip () SINGAREN NET SG] Sent: Wednesday, April 12, 2000 11:13 PM To: INCIDENTS () SECURITYFOCUS COM Subject: sadmind hack? I have gotten the following messages in my /var/adm/messages file on my solaris 2.6 host. is it a sign of break in? telnet and ftp on my host are limited by tcp wrappers. any idea how is the exploit made? Apr 12 06:43:34 xxxx inetd[138]: /usr/sbin/sadmind: Bus Error - core dumped Apr 12 06:43:36 xxxx inetd[138]: /usr/sbin/sadmind: Segmentation Fault - core dumped Apr 12 06:43:39 xxxx inetd[138]: /usr/sbin/sadmind: Bus Error - core dumped Apr 12 06:43:41 xxxx inetd[138]: /usr/sbin/sadmind: Segmentation Fault - core dumped Apr 12 06:43:44 xxxx inetd[138]: /usr/sbin/sadmind: Hangup many thanks and regards, /yck
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> iQA/AwUBOPZNcsm4FXxxREdXEQIYwgCZASWXU6f6YtTu15nxJvA3J46IbdIAn22l kM1vZZOZd1quQO3xwnbtgi/k =oLNy -----END PGP SIGNATURE-----
Current thread:
- Re: sadmind hack?, (continued)
- Re: sadmind hack? Robert Graham (Apr 13)
- Re: sadmind hack? Fyodor (Apr 16)
- Weird Ping requests Erick Brockway (Apr 16)
- Re: Weird Ping requests Richard Bejtlich (Apr 18)
- Re: Weird Ping requests Erick Brockway (Apr 21)
- Re: sadmind hack? Labu Labi (Apr 17)
- Re: sadmind hack? Prateek Jetly (Apr 18)
- Re: sadmind hack? Robert Graham (Apr 13)
- Re: sadmind hack? Chad Roberts (Apr 14)
- Strange UDP traffic Ed Padin (Apr 14)
- Port 6502 Tony Lambiris (Apr 16)
- Re: sadmind hack? Oliver Friedrichs (Apr 13)
- Re: sadmind hack? Spoonm Spoonm (Apr 18)