Bugtraq mailing list archives
Re: mountd remote exploit?
From: morex () NIRVANA NET (morex .-)
Date: Tue, 29 Sep 1998 00:11:43 -0400
To my knowledge there are 3 different versions of the mountd remote exploit going around. I found a bin on my shell server from a user and ran it on a outdated box of my own and it did work. I have not seen the source.. only thing bin. So I do know there is a remote exploit going around. morex .- http://morex.net http://www.worldnetworks.net On Mon, 28 Sep 1998, John Caldwell wrote:
This morning at about 2am, someone managed to get into my machine using some type of mountd exploit. I was watching at the time, so they werent able to do much damage, but it looks like they were able to nfs mount my root drive remotely, even though its not listed in the /etc/exports. I was led to believe it was mountd by this: Sep 28 02:35:15 harman mountd[263]: Unauthorized access by NFS client xxx.xxx.xxx.xxx Sep 28 02:35:15 harman syslogd: Cannot glue message parts together Sep 28 02:35:15 harman mountd[263]: Blocked attempt of xxx.xxx.xxx.xxx to mount ^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P Sep 28 02:35:15 harman (-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^ E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^ H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H( -^E^H(-^E^H(-^E^H(- The guy had added a line to my /etc/passwd and inetd.conf files allowing for easy root access, but didnt do much other damage. I'm not very familiar with mountd and I havent heard anything about remote exploits, so i thought i'd post about it. I couldnt find a current contact for the linux nfs package, so thats why i posted here first. -- ------------------------- | John Caldwell | jcald () lake ml org | http://www.lake.ml.org/ -------------------------
Current thread:
- Re: rpc.mountd vulnerabilities, (continued)
- Re: rpc.mountd vulnerabilities Olaf Kirch (Sep 30)
- ISS Security Advisory: Snork X-Force (Sep 29)
- Re: mountd- more info (sorry) John Caldwell (Sep 29)
- Re: mountd- more info (sorry) Anthony C. Zboralski (Sep 30)
- more rpc.mountd jason valentine (Sep 30)
- Netscape Cache Exploit - source code Ken Williams (Sep 29)
- Re: IRIX 6.2 passwordless accounts exploit? Kevin Hawkins (Sep 30)
- Sun Security Bulletin #00176 joshua grubman (Sep 30)
- Re: IRIX 6.2 passwordless accounts exploit? morex .- (Sep 28)
- mountd remote exploit? John Caldwell (Sep 28)
- Re: mountd remote exploit? morex .- (Sep 28)
- Re: IRIX 6.2 passwordless accounts exploit? Charl Botha (Sep 29)
- Re: IRIX 6.2 passwordless accounts exploit? Renaud Deraison (Sep 29)
- rpc.mountd exploit Hudin Lucian (Sep 29)