OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Rooted through in.identd on Red Hat 6.0
From: Erich Meier (Erich.MeierINFORMATIK.UNI-ERLANGEN.DE)
Date: Thu Apr 20 2000 - 08:58:16 CDT

On Wed, Apr 19, 2000 at 05:02:13AM -0000, Del Elson wrote:
> Hi,
>
> A client was hacked last week by what looked like a buffer
> overflow through in.identd. This was on a Red Hat 6.0
> box.

Hmmm, I am not so sure, that identd is to blame.

> RH don't have any current security notices or fixes for
> in.identd on their servers, and I haven't seen other
> boxes hacked through in.identd recently.
>
> The hacker left the usual trace in /.bash_history, which
> ran like:
>
> mkdir /usr/lib/... ; cd /usr/lib/...

Could it be, that this ftp connection caused an identd lookup done by the
ftpd at 200.192.58.201?

Then, in.identd would be not guilty.

> ftp 200.192.58.201 21
[...]
>
> ... installing a back door and a partial cover of tracks.
>
> The only messages in /var/log/messages around the time
> were:
>
> Apr 8 23:15:57 home identd[12006]: Connection from
> 200.192.58.201
> Apr 8 23:15:57 home identd[12006]: from: 200.192.58.201 (
> 200.192.58.201 ) for: 1176, 21
> Apr 8 23:16:05 home identd[12007]: Connection from
> 200.192.58.201
> Apr 8 23:16:05 home identd[12007]: from: 200.192.58.201 (
> 200.192.58.201 ) for: 1176, 21
>
> ... the IP address traces back to somewhere in Brazil.

Erich 

--
Erich Meier                              Erich.Meierinformatik.uni-erlangen.de
                                 http://www4.informatik.uni-erlangen.de/~meier/
 Dilbert: "Today I started hating people in advance." Dogbert: "It saves time."