This message is important to anyone running RedHat Linux 5.0!! There is
a serious security problem that I don't believe anyone knows about!!
I recently had someone in Moscow, Russia, gain unauthorized access to my
system via the auth port. Here is the line from netstat (he hacked my
netstat, so I had to replace it with one that worked, and it produced
this):
tcp 0 0 CONFIDENTAL:auth CONFIDENTIAL:57575
ESTABLISHED
(The actual IP addresses have been replaced with CONFIDENTIAL, the ports
and status and protocol are real)
Here is a line that shows his root shell from ps:
root 30657 0.0 0.4 1116 624 ? S 07:18 0:00 lpd
Of course this process is not really the TCP/IP print daemon. This guy
had a program that would rename /bin/sh so it would be renamed to lpd.
So, someone has a program that connects to the 'auth' port and overflows
some buffer to gain a root shell. This exploit is either in inetd or
identd (I am thinking it is in inetd, because identd is run as
'nobody'). If anyone would like to check out inetd for any holes,
please do so as I am doing. Another clue in this is that one of the
environment variables set was:
dummy=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Which means the hole may exist in the environment variables system.
Please e-mail me if you would like to help get rid of this nasty bug.
Anyone running RedHat 5.0's inetd and/or identd servers is affected.
-Jeff Hansen
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
