Security Incidents mailing list archives

Re: Rooted through in.identd on Red Hat 6.0

From: jhorner () KNOXLUG ORG (J. J. Horner)
Date: Thu, 20 Apr 2000 09:25:51 -0400


On Wed, 19 Apr 2000, Del Elson wrote:

Hi,

A client was hacked last week by what looked like a buffer
overflow through in.identd.  This was on a Red Hat 6.0
box.

RH don't have any current security notices or fixes for
in.identd on their servers, and I haven't seen other
boxes hacked through in.identd recently.

<snip>

Anyone know of any current bug notices, exploits, or
patches for in.identd?

Del


Well, he could have gotten in somewhere else and just put the backdoor in
identd.  I've had people get in on nameservers with old versions of BIND,
then backdoor another service.

Jon

--
J. J. Horner
Apache, Perl, Unix, Linux
jhorner () knoxlug org http://www.knoxlug.org/

Current thread:

Rooted through in.identd on Red Hat 6.0, (continued)
- - Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 18)
    - Re: Rooted through in.identd on Red Hat 6.0 Sebastian (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 Dmitry Alyabyev (Apr 20)
    - RH6.1/IPChains box hacked J. J. Horner (Apr 20)
    - Re: RH6.1/IPChains box hacked Jon Lewis (Apr 21)
    - Re: RH6.1/IPChains box hacked mad () STUDENTS ZCU CZ (Apr 21)
    - Re: RH6.1/IPChains box hacked Del Elson (Apr 24)
    - Re: Rooted through in.identd on Red Hat 6.0 Cold Fire (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 Jose Nazario (Apr 21)
    - Re: Rooted through in.identd on Red Hat 6.0 Richard Wash (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 J. J. Horner (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 21)
    - Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 21)
    - !!!Linux ELF infector!!! dEStr0YEr (Apr 21)
    - Re: !!!Linux ELF infector!!! John Flux (Apr 24)
    - BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 22)
    - Re: BIND 8.2.2.-P3, 0-day exploit Jon Lewis (Apr 24)
    - Re: BIND 8.2.2.-P3, 0-day exploit kj (Apr 24)
    - Odd snmp scans from 10.0.0.0/8 address ??? Russell Fulton (Apr 25)
    - Re: BIND 8.2.2.-P3, 0-day exploit Stone (Apr 26)
    - Re: BIND 8.2.2.-P3, 0-day exploit Ryan Russell (Apr 27)

(Thread continues...)