Security Incidents mailing list archives
Re: Rooted through in.identd on Red Hat 6.0
From: sec () ORGONE NEGATION NET (jms)
Date: Fri, 21 Apr 2000 14:30:07 -0700
On Fri, 21 Apr 2000, Del Elson wrote:
J.J. Horner wrote:Hi, A client was hacked last week by what looked like abufferoverflow through in.identd. This was on a Red Hat 6.0 box. RH don't have any current security notices or fixes for in.identd on their servers, and I haven't seen other boxes hacked through in.identd recently.Well, he could have gotten in somewhere else and just put the backdoor in identd. I've had people get in on nameservers with oldversions of BIND,then backdoor another service.JonThis is the most likely suggestion I've seen to date. I didn't have access to the box before the hack (otherwise I would have darn well patched it) but it's conceivable that it got rooted ages ago and the most recent attack was through a previous backdoor put into inetd or identd. It wasn't running BIND (note to all of the dozen or so people who e-mailed me dead certain that it was ... it's rather hard to use the ADMROCKS worm to get in to BIND on a machine that it's not even installed on, let alone running on ... I deleted a pile of mail on this without replying, not my usual style, but then there has been a flood of junk on this topic). It wasn't running FTPD, it wasn't running anything else with open ports. I don't know what else to suspect. It's conceivable that a trojan inetd/identd had been on the system for some time. Del
of course, if the user ssh's in from a compromised box, he has probably given up local access via trojaned ssh binary. -jason storm jms () negation net /* hard work never killed noboby, but i aint takin no chances. */
Current thread:
- Re: Rooted through in.identd on Red Hat 6.0, (continued)
- Re: Rooted through in.identd on Red Hat 6.0 Dmitry Alyabyev (Apr 20)
- RH6.1/IPChains box hacked J. J. Horner (Apr 20)
- Re: RH6.1/IPChains box hacked Jon Lewis (Apr 21)
- Re: RH6.1/IPChains box hacked mad () STUDENTS ZCU CZ (Apr 21)
- Re: RH6.1/IPChains box hacked Del Elson (Apr 24)
- Re: Rooted through in.identd on Red Hat 6.0 Cold Fire (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Jose Nazario (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 Richard Wash (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 J. J. Horner (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 21)
- !!!Linux ELF infector!!! dEStr0YEr (Apr 21)
- Re: !!!Linux ELF infector!!! John Flux (Apr 24)
- BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 22)
- Re: BIND 8.2.2.-P3, 0-day exploit Jon Lewis (Apr 24)
- Re: BIND 8.2.2.-P3, 0-day exploit kj (Apr 24)
- Odd snmp scans from 10.0.0.0/8 address ??? Russell Fulton (Apr 25)
- Re: BIND 8.2.2.-P3, 0-day exploit Stone (Apr 26)
- Re: BIND 8.2.2.-P3, 0-day exploit Ryan Russell (Apr 27)
- Re: BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 27)
- regulary 137 and 524 port scan Cho Yongsang (Apr 27)