Security Incidents mailing list archives
Re: Rooted through in.identd on Red Hat 6.0
From: scut () NB IN-BERLIN DE (Sebastian)
Date: Thu, 20 Apr 2000 10:03:34 +0200
On Wed, Apr 19, 2000 at 05:02:13AM -0000, Del Elson wrote:
Hi,
Hi.
A client was hacked last week by what looked like a buffer overflow through in.identd. This was on a Red Hat 6.0 box.
I doubt this. RedHat 6.0 uses pidentd 2.8.5, which should be pretty secure. I audited it myself, too, and found no vulnerabilities. Neither do I know of any exploits or holes in it.
RH don't have any current security notices or fixes for in.identd on their servers, and I haven't seen other boxes hacked through in.identd recently.
Most likely because in.identd (pidentd 2.8.5 that is) is secure.
The hacker left the usual trace in /.bash_history, which ran like:
A hacker being that stupid leaving such obvious traces would more likely use some standard BIND NXT or RPC vulnerabilities to compromise your system. Also he doesn't install a kernel module but uses standard rootkit tricks, which are easy to discover.
... installing a back door and a partial cover of tracks.
The only messages in /var/log/messages around the time were:
Apr 8 23:15:57 home identd[12006]: Connection from 200.192.58.201 Apr 8 23:15:57 home identd[12006]: from: 200.192.58.201 ( 200.192.58.201 ) for: 1176, 21 Apr 8 23:16:05 home identd[12007]: Connection from 200.192.58.201 Apr 8 23:16:05 home identd[12007]: from: 200.192.58.201 ( 200.192.58.201 ) for: 1176, 21
Yes, he used FTP to transfer his backdoor kit. Most likely.
Anyone know of any current bug notices, exploits, or patches for in.identd?
No, No, No.
Del
ciao, scut -- - scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a -- -- lot of people to be great, you need a few great to be the best ------------ http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 -- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -
Current thread:
- Re: CGI scans from Strauss.udel.edu -- They're back, (continued)
- Re: CGI scans from Strauss.udel.edu -- They're back Matthew S. Hallacy (Apr 16)
- Re: CGI scans from Strauss.udel.edu -- They're back Omachonu Ogali (Apr 18)
- Rapid Web page harvesting, probably by marketing firm Brett Glass (Apr 18)
- Frontpage Exploits Keith McCammon (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Elliot L. Tobin (Apr 17)
- Re: CGI scans from Strauss.udel.edu -- They're back Dragos Ruiu (Apr 17)
- Re: CGI scans from Strauss.udel.edu -- They're back Ryan Russell (Apr 18)
- Re: CGI scans from Strauss.udel.edu -- They're back Bryan Seitz (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Marcelo Magnasco (Apr 18)
- Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 18)
- Re: Rooted through in.identd on Red Hat 6.0 Sebastian (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Dmitry Alyabyev (Apr 20)
- RH6.1/IPChains box hacked J. J. Horner (Apr 20)
- Re: RH6.1/IPChains box hacked Jon Lewis (Apr 21)
- Re: RH6.1/IPChains box hacked mad () STUDENTS ZCU CZ (Apr 21)
- Re: RH6.1/IPChains box hacked Del Elson (Apr 24)
- Re: Rooted through in.identd on Red Hat 6.0 Cold Fire (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Jose Nazario (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 Richard Wash (Apr 20)
- Re: CGI scans from Strauss.udel.edu -- They're back Matthew S. Hallacy (Apr 16)
- Re: Rooted through in.identd on Red Hat 6.0 J. J. Horner (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 21)