Security Incidents mailing list archives
Re: RedHat compromise
From: Andreas Östling <andreaso () it su se>
Date: Fri, 23 Feb 2001 15:30:41 +0100
On Monday 19 February 2001 22:43, Jim Roland wrote: ...
From the remote network, I am able to telnet to port 54321 and get a telnet prompt on the box. Further investigation shows that all TCP connections
are denied. ... I guess you just saw the telnet banner and not the actual login prompt? If TERM is set to "owned" you get in as root without any password when telneting to port 54321 (/bin/login is modified this way). When /bin/login is called and TERM is not set to "owned", it calls /usr/sbin/xcat (which is suid root) with "login" as argument, which calls itself with "login" as argument. This will however make xcat call itself again, and again, and again... I'm not sure why it does that, but it may explain why the host I analyzed had a ~50,~50,~50 load average and a huge amount of xcat processes running. If /usr/sbin/xcat is called and TERM is set to "nigwarsh" you will instead get a shell. Regards, Andreas Östling
Current thread:
- RedHat compromise Jim Roland (Feb 19)
- Re: RedHat compromise Michael H. Warfield (Feb 19)
- Re: RedHat compromise Johan.Augustsson (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jose Nazario (Feb 20)
- Re: RedHat compromise Dave Dittrich (Feb 20)
- Re: RedHat compromise Fabio Pietrosanti (naif) (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 23)
- Re: RedHat compromise Jim Roland (Feb 24)
- <Possible follow-ups>
- Re: RedHat compromise Matteo,Marc A. (Feb 20)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 21)
- Re: RedHat compromise Daniel Martin (Feb 21)
- Re: RedHat compromise Andreas Östling (Feb 20)
- Re: RedHat compromise Jim Roland (Feb 20)
- Re: RedHat compromise Justin Shore (Feb 21)