Security Incidents mailing list archives

Re: Compromised...

From: scut () NB IN-BERLIN DE (Sebastian)
Date: Wed, 9 Feb 2000 19:01:16 +0100


On Wed, Feb 09, 2000 at 11:09:00AM +0100, technot wrote:

About this BIND exploit.
I would be greatful if someone could tell me how it works.
I have tested it on my own system, and it worked fine. but i dont really
under stand the consept.

When i tested on my system i needed 3 linux boxes.
box1: running bind 8.2 (or 8.2.1)
box2: setup some stuff in the nameserver running
box3: running the exploit

as i understand box2 sends a dnsquery to box3 which is running the
exploit. the exploit then sends a query to box1 and falls in to some sort
of loop, and all of a sudden there was the root shell.
If someone would explain how/what exactly happens. I would be very
greatful.


You make the remote nameserver query a host within a domain you have control
over. The nameserver tries to resolve that host by querying your pseudo-
nameserver. The pseudo-nameserver (the exploit that is) sends a packet back
with a malformed NXT record, that causes a buffer overrun on the remote
server.

And i read something here about someone finding a user called "web" or
something after beeing "cracked". why does the cracker/hacker(call it what
u want;) add a user at all, why not create a simple /in/login trojan or
somthing in that manner;p


Well, thats only a temporary thing, like it isn't very comfortable to install
backdoors from portshells and the user wants to have a fully featured telnet
daemon terminal ;-). Therefore a simple
cat /etc/passwd|sed s/:<uid>:/:0:/ > /etc/p;rm -f /etc/passwd;
mv /etc/p /etc/passwd;

(and a similar line for shadow)

Will allow you to log on as someone else through telnet. Then a backdoor will
be installed and the account reinstalled.

- technot
linux administrator


ciao,
scut

--
- scut () nb in-berlin de - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet   --
-- you don't need a lot of people to be great, you need a few great to be  --
-- the best ------------------------------------------------------------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
--- aquired Talon operating system source, awaiting orders, hi echelon -------

Current thread:

Re: DoS Trojan on Solaris, (continued)
- - - Re: DoS Trojan on Solaris David Brumley (Feb 02)
    - Interesting Probe Rick Magill (Feb 03)
    - Re: DoS Trojan on Solaris Dave Dittrich (Feb 03)
    - Re: DoS Trojan on Solaris Data_surge (Feb 04)
    - Re: DoS Trojan on Solaris Ross Mueller (Feb 03)
    - Compromised... Steve Logan (Feb 07)
    - Re: Compromised... David Bernick (Feb 07)
    - Re: Compromised... Japheth (Feb 07)
    - Re: Compromised... Simon Britnell (Feb 08)
    - Re: Compromised... technot (Feb 09)
    - Re: Compromised... Sebastian (Feb 09)
    - Prank phone calls related to recent break-ins? Nate Carlson (Feb 09)
    - Question about event log events JF Prieur (Feb 08)
    - Re: Compromised... Jose Nazario (Feb 07)
    - Re: Compromised... Jim Kinney (Feb 07)
    - Re: Compromised... Jon Lewis (Feb 07)
    - Re: Compromised... Joshua Krage (Feb 08)
    - Re: Compromised... Rich Burroughs (Feb 09)
    - Re: Compromised... Lane Davis (Feb 07)
    - Re: Compromised... Marianovich Felix (Feb 08)
    - Re: Compromised... Sebastian (Feb 08)

(Thread continues...)