Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rooted through in.identd on Red Hat 6.0

From: Erich.Meier () INFORMATIK UNI-ERLANGEN DE (Erich Meier)
Date: Thu, 20 Apr 2000 15:58:16 +0200

On Wed, Apr 19, 2000 at 05:02:13AM -0000, Del Elson wrote:

Hi,

A client was hacked last week by what looked like a buffer
overflow through in.identd.  This was on a Red Hat 6.0
box.


Hmmm, I am not so sure, that identd is to blame.


RH don't have any current security notices or fixes for
in.identd on their servers, and I haven't seen other
boxes hacked through in.identd recently.

The hacker left the usual trace in /.bash_history, which
ran like:

mkdir /usr/lib/... ; cd /usr/lib/...


Could it be, that this ftp connection caused an identd lookup done by the
ftpd at 200.192.58.201?

Then, in.identd would be not guilty.


ftp 200.192.58.201 21

[...]


... installing a back door and a partial cover of tracks.

The only messages in /var/log/messages around the time
were:

Apr  8 23:15:57 home identd[12006]: Connection from
200.192.58.201
Apr  8 23:15:57 home identd[12006]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21
Apr  8 23:16:05 home identd[12007]: Connection from
200.192.58.201
Apr  8 23:16:05 home identd[12007]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21

... the IP address traces back to somewhere in Brazil.


Erich

--
Erich Meier                              Erich.Meier () informatik uni-erlangen de
                                 http://www4.informatik.uni-erlangen.de/~meier/
 Dilbert: "Today I started hating people in advance." Dogbert: "It saves time."
Previous By Date Next
Previous By Thread Next

Current thread: