Security Incidents mailing list archives
Re: RedHat compromise
From: Jim Roland <jroland () ROLAND NET>
Date: Fri, 23 Feb 2001 15:30:31 -0600
Yes, on that port, I did get the usual telnet banner and login prompt. I was unable to login with a usable account though. Console access worked fine though (probably because it was using mingetty instead of in.telnetd/tcpd. ----- Original Message ----- From: "Andreas Östling" <andreaso () it su se> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Friday, February 23, 2001 8:30 AM Subject: Re: RedHat compromise
On Monday 19 February 2001 22:43, Jim Roland wrote: ...From the remote network, I am able to telnet to port 54321 and get a
telnet
prompt on the box. Further investigation shows that all TCP connectionsare denied. ... I guess you just saw the telnet banner and not the actual login prompt? If TERM is set to "owned" you get in as root without any password when telneting to port 54321 (/bin/login is modified this way). When /bin/login is called and TERM is not set to "owned", it calls /usr/sbin/xcat (which is suid root) with "login" as argument, which calls itself with "login" as argument. This will however make xcat call itself again, and again, and again... I'm not sure why it does that, but it may explain why the host I analyzed
had
a ~50,~50,~50 load average and a huge amount of xcat processes running. If /usr/sbin/xcat is called and TERM is set to "nigwarsh" you will instead get a shell. Regards, Andreas Östling
Current thread:
- RedHat compromise Jim Roland (Feb 19)
- Re: RedHat compromise Michael H. Warfield (Feb 19)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
- Re: RedHat compromise Jim Roland (Feb 24)
- <Possible follow-ups>
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 21)
- Re: RedHat compromise Daniel Martin (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Justin Shore (Feb 21)