Security Incidents mailing list archives

Re: Rooted through in.identd on Red Hat 6.0

From: scut () NB IN-BERLIN DE (Sebastian)
Date: Thu, 20 Apr 2000 10:03:34 +0200


On Wed, Apr 19, 2000 at 05:02:13AM -0000, Del Elson wrote:

Hi,

Hi.

A client was hacked last week by what looked like a buffer
overflow through in.identd.  This was on a Red Hat 6.0
box.


I doubt this.

RedHat 6.0 uses pidentd 2.8.5, which should be pretty secure. I audited it
myself, too, and found no vulnerabilities. Neither do I know of any exploits
or holes in it.

RH don't have any current security notices or fixes for
in.identd on their servers, and I haven't seen other
boxes hacked through in.identd recently.


Most likely because in.identd (pidentd 2.8.5 that is) is secure.

The hacker left the usual trace in /.bash_history, which
ran like:


A hacker being that stupid leaving such obvious traces would more likely use
some standard BIND NXT or RPC vulnerabilities to compromise your system.

Also he doesn't install a kernel module but uses standard rootkit tricks,
which are easy to discover.

... installing a back door and a partial cover of tracks.

The only messages in /var/log/messages around the time
were:

Apr  8 23:15:57 home identd[12006]: Connection from
200.192.58.201
Apr  8 23:15:57 home identd[12006]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21
Apr  8 23:16:05 home identd[12007]: Connection from
200.192.58.201
Apr  8 23:16:05 home identd[12007]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21


Yes, he used FTP to transfer his backdoor kit. Most likely.

Anyone know of any current bug notices, exploits, or
patches for in.identd?


No, No, No.

Del


ciao,
scut

--
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -

Current thread:

Re: CGI scans from Strauss.udel.edu -- They're back, (continued)
- Re: CGI scans from Strauss.udel.edu -- They're back Matthew S. Hallacy (Apr 16)
  - Re: CGI scans from Strauss.udel.edu -- They're back Omachonu Ogali (Apr 18)
  - Rapid Web page harvesting, probably by marketing firm Brett Glass (Apr 18)
  - Frontpage Exploits Keith McCammon (Apr 19)
- Re: CGI scans from Strauss.udel.edu -- They're back Elliot L. Tobin (Apr 17)
  - Re: CGI scans from Strauss.udel.edu -- They're back Dragos Ruiu (Apr 17)
  - Re: CGI scans from Strauss.udel.edu -- They're back Ryan Russell (Apr 18)
    - Re: CGI scans from Strauss.udel.edu -- They're back Bryan Seitz (Apr 19)
  - Re: CGI scans from Strauss.udel.edu -- They're back Marcelo Magnasco (Apr 18)
  - Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 18)
    - Re: Rooted through in.identd on Red Hat 6.0 Sebastian (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 Dmitry Alyabyev (Apr 20)
    - RH6.1/IPChains box hacked J. J. Horner (Apr 20)
    - Re: RH6.1/IPChains box hacked Jon Lewis (Apr 21)
    - Re: RH6.1/IPChains box hacked mad () STUDENTS ZCU CZ (Apr 21)
    - Re: RH6.1/IPChains box hacked Del Elson (Apr 24)
    - Re: Rooted through in.identd on Red Hat 6.0 Cold Fire (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 Jose Nazario (Apr 21)
    - Re: Rooted through in.identd on Red Hat 6.0 Richard Wash (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 J. J. Horner (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 21)

(Thread continues...)