Bugtraq mailing list archives

Re: identd hole?

From: juphoff () tarsier cv nrao edu (Jeff Uphoff)
Date: Tue, 16 Jul 1996 06:10:02 -0400


"BLH" == Brett L Hawn <blh () nol net> writes:

BLH> Lately I've heard rumours about this 'identd' hole in RFC1413,
BLH> we've seen this abused on IRC several times in recent days. Then
BLH> today I had someone claim they had the root password on my machine
BLH> at home. So I telnetted in, changed it and waited since he claimed
BLH> he was going to hack it. Apparently he did because I caught him
BLH> with a login proccess which I promptly killed, then being rather
BLH> peeved I /kill'd him on irc. This apparently pissed him off even
BLH> more so he re-hacked my machine and brought it down, at this time
BLH> I'm not even sure if it's reviveable as I've not had a chance to
BLH> check it, all I know is that its dead in the water currently. Right
BLH> after that I did a netstat -n on the machine I was on at
BLH> work. Voila.. there were about two dozen connections from his IP (I
BLH> checked) to my identd port (113). Now I'm guessing that Solaris
BLH> 2.5x86 doesn't have the same bug or I caught it in time since I saw
BLH> no adverse effects on that machine. The machine effected (and
BLH> killed) was a linux 2.0.0 machine, but I have heard of many other
BLH> machines of random type being effected in such a manner.

It's not really clear to me that 'identd' was involved in the attack on
your Linux system.  The second intrusion could very well have been
accomplished via a trojan /bin/login, /usr/sbin/in.telnetd, etc., since
a previous root-level intrusion had apparently occurred.  Replacing
/bin/login with a "back door password" version is a logical step #1
after cracking a box; doing this is part of some "root kits."

Also, depending upon your configuration, both the first and the
subsequent intrusions could have been done sans password using something
like the now-well-known shared-library/in.telnetd exploit; the cracker
might very well have been claiming to have your root password simply to
confuse the issue and point you in the wrong direction.

--Up.

--
Jeff Uphoff - systems/network admin.  |  juphoff () nrao edu
National Radio Astronomy Observatory  |  juphoff () bofh org uk
Charlottesville, VA, USA              |  jeff.uphoff () linux org
    PGP key available at: http://www.cv.nrao.edu/~juphoff/

Current thread:

Re: identd hole? Bugtraq Archiver (Jul 15)
- Re: identd hole? Henri Karrenbeld (Jul 16)
- <Possible follow-ups>
- Re: identd hole? Jeff Uphoff (Jul 16)
- Re: identd hole? Dave G. (Jul 16)
  - Re: [linux-security] Re: identd hole? lilo (Jul 18)
- Re: identd hole? der Mouse (Jul 16)
- Re: identd hole? Jacob Langseth (Jul 16)