|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: /tmp/bob on compromised system
From: Rob McCauley (robmccau
RADONC.DUKE.EDU)Date: Tue Jul 25 2000 - 15:49:15 CDT
- Next message: Dante Mercurio: "NewOak?"
- Previous message: John Kristoff: "[Fwd: ssh-research-scanner.ucs.ualberta.ca]"
- In reply to: Adam Pendleton: "Re: /tmp/bob on compromised system"
- Next in thread: Granquist, Lamont: "Re: /tmp/bob on compromised system"
- Next in thread: Lynch Sean: "Re: /tmp/bob on compromised system"
- Reply: Rob McCauley: "Re: /tmp/bob on compromised system"
- Reply: Granquist, Lamont: "Re: /tmp/bob on compromised system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More generically, /tmp/bob is an inetd.conf file inserted through the use
of some generic exploit. The intruder overflows a buffer and causes
commands which create the one line /tmp/bob and execute an inetd with
/tmp/bob specified as the configuration file. /tmp/bob directs that
connections to some port be passed off to /bin/sh giving a root shell on
that port. This is cut and paste stuff, so it doesn't have to be
rpc.statd (I think), and it doesn't have to be any specific port
(definite). I've personally seen ingreslock and pcserver. Used, I
believe, to overflow rpc.cmsd. With a copy of the script you could
presumably make it whatever you like.
Rob
- Next message: Dante Mercurio: "NewOak?"
- Previous message: John Kristoff: "[Fwd: ssh-research-scanner.ucs.ualberta.ca]"
- In reply to: Adam Pendleton: "Re: /tmp/bob on compromised system"
- Next in thread: Granquist, Lamont: "Re: /tmp/bob on compromised system"
- Next in thread: Lynch Sean: "Re: /tmp/bob on compromised system"
- Reply: Rob McCauley: "Re: /tmp/bob on compromised system"
- Reply: Granquist, Lamont: "Re: /tmp/bob on compromised system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]