Re: Korea (was RE: ?)

[phorlakh () CENTURYTEL NET (Joe User)]

Actually, ADM [or a variant of it] drops an entry in inetd.conf which puts
up a service as /bin/sh to port 2222. The only thing I can think of for
them putting this in in the manner which it's there would be to basically
make the system "wide open" as kind of a boast. Either that or it was just
a quick idea someone in the think tanks threw out.

Atralakh Information Archives: ftp://atralakh.darktech.org
Atralakh Haven: telnet://atralakh.darktech.org:2300
My home page: http://home.centurytel.net/kronovohr/
E-mail: kronovohr<at>centurytel<dot>net

        push ax,dx
         xor dx,dx
         pop ax
        push computer,out_window
          db 09 FF F8 F7 2E 0H SH 1T !!

On Tue, 1 Feb 2000, Jon Lewis wrote:

> On Thu, 27 Jan 2000, R a v e N wrote:
>
> > A telnet backdoor on such a (relatively) low port that automatically
> > drops you to a rootshell?
> >
> > This just proves how insecure educational institutes in eastern Asia
> > are. They get cracked by such a bunch of amateur crackers.
>
> No country has a monopoly on this.  I've seen exactly the same thing on
> dozens of boxes spread all over the world (US, AU, CN, CL, JP, DE, KR, SG
> and the list goes on).  Why such primitive backdoors are used is somewhat
> of a mystery.  In some cases, it's as simple as running /bin/sh from a
> line inserted in inetd.conf.  In others, it's actually a replaced inetd or
> new daemon installed that spawns a shell with no authentication when
> connected to on a certain port.
>
> ----------------------------------------------------------------------
>  Jon Lewis *jlewis () lewis org*|  Spammers will be winnuked or
>  System Administrator        |  nestea'd...whatever it takes
>  Atlantic Net                |  to get the job done.
> _________http://www.lewis.org/~jlewis/pgp for PGP public key__________