Security Incidents mailing list archives

Re: Linuxconf scanning

From: "Granquist, Lamont" <lamont () ICOPYRIGHT COM>
Date: Tue, 22 Aug 2000 13:34:42 -0700

AFAIK you win the prize for the first person to publically report that a
linuxconf version is remotely exploitable.  Public information to-date
(well as of a few months ago when I last checked) indicated that linuxconf
was not vulnerable (at least in RH6.x) and that the linuxconf scanning
that was reported was likely just OS detection or an exploit for an
outdated version.  If anyone has updated info, it'd be appreciated.

On Mon, 14 Aug 2000, Jim Roland wrote:

Forget getting any further response from them.  I sent a message to them
when a RedHat 6.1 box I had was scanned and compromised with linuxconf (I
closed the hole quickly) a customer of mine.  I got the automated response
they received my email, but nothing further from them ever again.  That was
over 3 months ago.  Looks like the same guy is up to his old tricks again.

Good Luck,
Jim


On Thu, 10 Aug 2000, Brian Sommers wrote:

Date: Thu, 10 Aug 2000 15:11:43 -0500
From: Brian Sommers <brian.sommers () CNALIFE COM>
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Linuxconf scanning

Just recently I did get a manual response from bora.net; I had sent a notice
to both help () bora net and ipadm () bora net and received a reply that they were
investigating.  The message signature also had the following:

------------------------------
Security Staff,
BORANet/DACOM
E-mail : security () bora net
phone : +82 2 6220 7413
fax : +82 2 6220 0340
------------------------------

-----Original Message-----
From:     Dan Hollis [SMTP:goemon () ANIME NET]
Sent:     Wednesday, August 09, 2000 5:33 PM
To:       INCIDENTS () SECURITYFOCUS COM
Subject:  Re: [INCIDENTS] Linuxconf scanning

On Tue, 8 Aug 2000, James Hoagland wrote:

APNIC was having connection problems yesterday but I managed to get
through to find out it was a Korean address and got
b0048228 () users bora net as the contact adress from KRNIC.  The IP
seems to be part of BORANET in Kyongnam, Korea.  I also e-mailed
abuse () bora net.  I haven't gotten any replies but haven't gotten any
bounces either.


bora.net never answers. i don't know if it is a language barrier or if
bora.net is black hat, but it's enough for me to blackhole all of their IP
space.

-Dan

Current thread:

Linuxconf scanning Ian Eure (Aug 08)
- Re: Linuxconf scanning jeff keith (Aug 09)
- Re: Linuxconf scanning James Hoagland (Aug 09)
  - Re: Linuxconf scanning Dan Hollis (Aug 10)
- <Possible follow-ups>
- Re: Linuxconf scanning Frank Dauer (Aug 09)
- Re: Linuxconf scanning Brian Sommers (Aug 13)
  - Re: Linuxconf scanning Jim Roland (Aug 14)
    - Re: Linuxconf scanning Granquist, Lamont (Aug 22)
- Re: Linuxconf scanning Granquist, Lamont (Aug 24)
  - Re: Linuxconf scanning Jon Lewis (Aug 24)
- Re: Linuxconf scanning St. Arnaud, Jon (Aug 25)