Security Incidents mailing list archives

Re: /tmp/bob on compromised system

From: "Granquist, Lamont" <lamont () ICOPYRIGHT COM>
Date: Wed, 26 Jul 2000 12:58:51 -0700

Actually, the original poster responded privately that /tmp/bob was a suid
binary and not an inetd.conf file, and that the exploit was probably the
ff.core bug:

http://www2.merton.ox.ac.uk/~security/archive-199901/0187.html

On Tue, 25 Jul 2000, Rob McCauley wrote:

More generically, /tmp/bob is an inetd.conf file inserted through the use
of some generic exploit.  The intruder overflows a buffer and causes
commands which create the one line /tmp/bob and execute an inetd with
/tmp/bob specified as the configuration file.  /tmp/bob directs that
connections to some port be passed off to /bin/sh giving a root shell on
that port.  This is cut and paste stuff, so it doesn't have to be
rpc.statd (I think), and it doesn't have to be any specific port
(definite).  I've personally seen ingreslock and pcserver.  Used, I
believe, to overflow rpc.cmsd.  With a copy of the script you could
presumably make it whatever you like.

Rob

Current thread:

/tmp/bob on compromised system Russell Fulton (Jul 24)
- Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 25)
  - Protect rpc.statd by tcp wrapper? (was Re: /tmp/bob on compromised system Ralf G. R. Bergs (Jul 27)
- Re: /tmp/bob on compromised system Joseph Pingenot (Jul 25)
- Re: /tmp/bob on compromised system Fredrik Ostergren (Jul 26)
  - Re: /tmp/bob on compromised system Jeffrey F. Lawhorn (Jul 27)
- <Possible follow-ups>
- Re: /tmp/bob on compromised system Matt Merhar (Jul 25)
  - Re: /tmp/bob on compromised system Security (Jul 26)
- Re: /tmp/bob on compromised system Adam Pendleton (Jul 25)
  - Re: /tmp/bob on compromised system Rob McCauley (Jul 26)
    - Re: /tmp/bob on compromised system Granquist, Lamont (Jul 27)
    - Re: /tmp/bob on compromised system Russell Fulton (Jul 28)
- Re: /tmp/bob on compromised system Jens Oeser (Jul 25)
- Re: /tmp/bob on compromised system Lynch Sean (Jul 26)