NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2000-04

Subject: Re: Rooted through in.identd on Red Hat 6.0
From: Sebastian (scutNB.IN-BERLIN.DE)
Date: Thu Apr 20 2000 - 03:03:34 CDT

Next message: Network Security: "Tools to analyze "captured" binaries? -Reply"
Previous message: Del: "(no subject)"
In reply to: Del Elson: "Rooted through in.identd on Red Hat 6.0"
Next in thread: J. J. Horner: "Re: Rooted through in.identd on Red Hat 6.0"
Reply: Sebastian: "Re: Rooted through in.identd on Red Hat 6.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Apr 19, 2000 at 05:02:13AM -0000, Del Elson wrote:

> Hi,

Hi.

> A client was hacked last week by what looked like a buffer
> overflow through in.identd. This was on a Red Hat 6.0
> box.

I doubt this.

RedHat 6.0 uses pidentd 2.8.5, which should be pretty secure. I audited it
myself, too, and found no vulnerabilities. Neither do I know of any exploits
or holes in it.

> RH don't have any current security notices or fixes for
> in.identd on their servers, and I haven't seen other
> boxes hacked through in.identd recently.

Most likely because in.identd (pidentd 2.8.5 that is) is secure.

> The hacker left the usual trace in /.bash_history, which
> ran like:

A hacker being that stupid leaving such obvious traces would more likely use
some standard BIND NXT or RPC vulnerabilities to compromise your system.

Also he doesn't install a kernel module but uses standard rootkit tricks,
which are easy to discover.

> ... installing a back door and a partial cover of tracks.

> The only messages in /var/log/messages around the time
> were:

> Apr 8 23:15:57 home identd[12006]: Connection from
> 200.192.58.201
> Apr 8 23:15:57 home identd[12006]: from: 200.192.58.201 (
> 200.192.58.201 ) for: 1176, 21
> Apr 8 23:16:05 home identd[12007]: Connection from
> 200.192.58.201
> Apr 8 23:16:05 home identd[12007]: from: 200.192.58.201 (
> 200.192.58.201 ) for: 1176, 21

Yes, he used FTP to transfer his backdoor kit. Most likely.

> Anyone know of any current bug notices, exploits, or
> patches for in.identd?

No, No, No.

> Del

ciao,
scut

--
- scutnb.in-berlin.de - http://nb.in-berlin.de/scut/ --- you don't need a --
-- lot of people to be great, you need a few great to be the best ------------
http://3261000594/scut/pgp - 5453 AC95 1E02 FDA7 50D2 A42D 427E 6DEF 745A 8E07
-- data in VK/USA Mayfly experienced, awaiting transfer location, hi echelon -

Next message: Network Security: "Tools to analyze "captured" binaries? -Reply"
Previous message: Del: "(no subject)"
In reply to: Del Elson: "Rooted through in.identd on Red Hat 6.0"
Next in thread: J. J. Horner: "Re: Rooted through in.identd on Red Hat 6.0"
Reply: Sebastian: "Re: Rooted through in.identd on Red Hat 6.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]