Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1994_1

Bugtraq archives for 1st quarter (Jan-Mar) 1994: Re: rdist

Re: rdist

Rafi Sadowsky (rafitavor.openu.ac.il)
Wed, 16 Mar 1994 15:15:40 +0200 (IST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bonfield James: "Re: sendmail -d hole"
Previous message: Greg Woods: "Re: Security problem in sendmail versions 8.x.x"
In reply to: *Hobbit*: "rdist"

*Hobbit* wrote:
> 
> Funny, I just pulled virtually the same script out of a packet dump
> last last week and was going to send it in.  In this case they called it
> "rd.s" and most of the comments were gone except for one at the top
> claiming it had been written by "Yo Man!" ... 
> 
> The gracious providers of this script, once having used it, were apprehended
> in the process of scanning several places with "rpcinfo" looking for X.25
> links [or whatever the x25.inr RPC service is].
> 
> _H*
> 
"historical" note 

this script was used to break in to an Ultrix machine here in aug 92
the guy opened an account for himself with a username of "yo"
so he probably was genius who originated it ....
(yo is short for yonatan - which is the hebrew version Jonathan -his nam )
at the time he was a student at Ben-Gurion Uni (bgu.ac.il in Beer-Sheva, Israel)
and part of a (then) quite active cracking group there 

he went up for a disciplinary hearing at BGU and got of quite lightly
(the police said there wasn't enough evidence to prosecute ...)

	Rafi

P.S. I still have a .tar.Z file of his dir with cracking tools
there was the rdist script  + crack-4.1 + the
usual assormtment of utmp/wtmp editing tools +
a c prog for capturing passwds with following comment in the header
-
/* when run from a shell-escape in /bin/mail, this program is able to 
   read any password given to su, telnet, rsh by any user.  

   Works on Ultrix 4.0-4.2 with no mods
*/
-
the whole bundle was sent off to CERT of course...
I didn't notice any announcments about a fix for this one -
although it didn't seem to work trivialy under Ultrix 4.2A(rev 47) 
and I don't have too much time too play with it ( it reads /dev/{k,}mem )

-- 
+-------------------------------+---------------------------------------+
| Rafi Sadowsky                 | rafitavor.openu.ac.il                |
| Comp.Sci. dept                |-[also postmasteropenu.ac.il]---------+
| Open University of Israel     | Voice: +972-3-6460592                 |
| Tel-Aviv, Israel              | Fax:   +972-3-6460483                 |
+-------------------------------+---------------------------------------+

Next message: Bonfield James: "Re: sendmail -d hole"
Previous message: Greg Woods: "Re: Security problem in sendmail versions 8.x.x"
In reply to: *Hobbit*: "rdist"