Security Incidents mailing list archives
Re: Compromised...
From: scut () NB IN-BERLIN DE (Sebastian)
Date: Wed, 9 Feb 2000 19:01:16 +0100
On Wed, Feb 09, 2000 at 11:09:00AM +0100, technot wrote:
About this BIND exploit. I would be greatful if someone could tell me how it works. I have tested it on my own system, and it worked fine. but i dont really under stand the consept.
When i tested on my system i needed 3 linux boxes. box1: running bind 8.2 (or 8.2.1) box2: setup some stuff in the nameserver running box3: running the exploit
as i understand box2 sends a dnsquery to box3 which is running the exploit. the exploit then sends a query to box1 and falls in to some sort of loop, and all of a sudden there was the root shell. If someone would explain how/what exactly happens. I would be very greatful.
You make the remote nameserver query a host within a domain you have control over. The nameserver tries to resolve that host by querying your pseudo- nameserver. The pseudo-nameserver (the exploit that is) sends a packet back with a malformed NXT record, that causes a buffer overrun on the remote server.
And i read something here about someone finding a user called "web" or something after beeing "cracked". why does the cracker/hacker(call it what u want;) add a user at all, why not create a simple /in/login trojan or somthing in that manner;p
Well, thats only a temporary thing, like it isn't very comfortable to install backdoors from portshells and the user wants to have a fully featured telnet daemon terminal ;-). Therefore a simple cat /etc/passwd|sed s/:<uid>:/:0:/ > /etc/p;rm -f /etc/passwd; mv /etc/p /etc/passwd; (and a similar line for shadow) Will allow you to log on as someone else through telnet. Then a backdoor will be installed and the account reinstalled.
- technot linux administrator
ciao, scut -- - scut () nb in-berlin de - http://nb.in-berlin.de/scut/ - sacbuctd@ircnet -- -- you don't need a lot of people to be great, you need a few great to be -- -- the best ------------------------------------------------------------------ http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07 --- aquired Talon operating system source, awaiting orders, hi echelon -------
Current thread:
- Re: DoS Trojan on Solaris, (continued)
- Re: DoS Trojan on Solaris David Brumley (Feb 02)
- Interesting Probe Rick Magill (Feb 03)
- Re: DoS Trojan on Solaris Dave Dittrich (Feb 03)
- Re: DoS Trojan on Solaris Data_surge (Feb 04)
- Re: DoS Trojan on Solaris Ross Mueller (Feb 03)
- Compromised... Steve Logan (Feb 07)
- Re: Compromised... David Bernick (Feb 07)
- Re: Compromised... Japheth (Feb 07)
- Re: Compromised... Simon Britnell (Feb 08)
- Re: Compromised... technot (Feb 09)
- Re: Compromised... Sebastian (Feb 09)
- Prank phone calls related to recent break-ins? Nate Carlson (Feb 09)
- Question about event log events JF Prieur (Feb 08)
- Re: Compromised... Jose Nazario (Feb 07)
- Re: Compromised... Jim Kinney (Feb 07)
- Re: Compromised... Jon Lewis (Feb 07)
- Re: Compromised... Joshua Krage (Feb 08)
- Re: Compromised... Rich Burroughs (Feb 09)
- Re: Compromised... Lane Davis (Feb 07)
- Re: Compromised... Marianovich Felix (Feb 08)
- Re: Compromised... Sebastian (Feb 08)