Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: RedHat compromise

From: Jim Roland <jroland () ROLAND NET>
Date: Fri, 23 Feb 2001 15:30:31 -0600
Yes, on that port, I did get the usual telnet banner and login prompt.  I
was unable to login with a usable account though.  Console access worked
fine though (probably because it was using mingetty instead of
in.telnetd/tcpd.


----- Original Message -----
From: "Andreas Östling" <andreaso () it su se>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Friday, February 23, 2001 8:30 AM
Subject: Re: RedHat compromise



On Monday 19 February 2001 22:43, Jim Roland wrote:
...

From the remote network, I am able to telnet to port 54321 and get a

telnet

prompt on the box.  Further investigation shows that all TCP connections

are denied.
...
I guess you just saw the telnet banner and not the actual login prompt?
If TERM is set to "owned" you get in as root without any password when
telneting to port 54321 (/bin/login is modified this way).
When /bin/login is called and TERM is not set to "owned", it calls
/usr/sbin/xcat (which is suid root) with "login" as argument, which calls
itself with "login" as argument. This will however make xcat call itself
again, and again, and again...
I'm not sure why it does that, but it may explain why the host I analyzed

had

a ~50,~50,~50 load average and a huge amount of xcat processes running.
If /usr/sbin/xcat is called and TERM is set to "nigwarsh" you will instead
get a shell.

Regards,
Andreas Östling
Previous By Date Next
Previous By Thread Next

Current thread: