Bugtraq mailing list archives
Re: identd hole?
From: juphoff () tarsier cv nrao edu (Jeff Uphoff)
Date: Tue, 16 Jul 1996 06:10:02 -0400
"BLH" == Brett L Hawn <blh () nol net> writes: BLH> Lately I've heard rumours about this 'identd' hole in RFC1413, BLH> we've seen this abused on IRC several times in recent days. Then BLH> today I had someone claim they had the root password on my machine BLH> at home. So I telnetted in, changed it and waited since he claimed BLH> he was going to hack it. Apparently he did because I caught him BLH> with a login proccess which I promptly killed, then being rather BLH> peeved I /kill'd him on irc. This apparently pissed him off even BLH> more so he re-hacked my machine and brought it down, at this time BLH> I'm not even sure if it's reviveable as I've not had a chance to BLH> check it, all I know is that its dead in the water currently. Right BLH> after that I did a netstat -n on the machine I was on at BLH> work. Voila.. there were about two dozen connections from his IP (I BLH> checked) to my identd port (113). Now I'm guessing that Solaris BLH> 2.5x86 doesn't have the same bug or I caught it in time since I saw BLH> no adverse effects on that machine. The machine effected (and BLH> killed) was a linux 2.0.0 machine, but I have heard of many other BLH> machines of random type being effected in such a manner. It's not really clear to me that 'identd' was involved in the attack on your Linux system. The second intrusion could very well have been accomplished via a trojan /bin/login, /usr/sbin/in.telnetd, etc., since a previous root-level intrusion had apparently occurred. Replacing /bin/login with a "back door password" version is a logical step #1 after cracking a box; doing this is part of some "root kits." Also, depending upon your configuration, both the first and the subsequent intrusions could have been done sans password using something like the now-well-known shared-library/in.telnetd exploit; the cracker might very well have been claiming to have your root password simply to confuse the issue and point you in the wrong direction. --Up. -- Jeff Uphoff - systems/network admin. | juphoff () nrao edu National Radio Astronomy Observatory | juphoff () bofh org uk Charlottesville, VA, USA | jeff.uphoff () linux org PGP key available at: http://www.cv.nrao.edu/~juphoff/
Current thread:
- Re: identd hole? Bugtraq Archiver (Jul 15)
- Re: identd hole? Henri Karrenbeld (Jul 16)
- <Possible follow-ups>
- Re: identd hole? Jeff Uphoff (Jul 16)
- Re: identd hole? Dave G. (Jul 16)
- Re: [linux-security] Re: identd hole? lilo (Jul 18)
- Re: identd hole? der Mouse (Jul 16)
- Re: identd hole? Jacob Langseth (Jul 16)