On Mon, 16 Mar 1998, Dave G. wrote:
>
>> So, someone has a program that connects to the 'auth' port and overflows
>> some buffer to gain a root shell. This exploit is either in inetd or
>> identd (I am thinking it is in inetd, because identd is run as
>> 'nobody'). If anyone would like to check out inetd for any holes,
>> please do so as I am doing. Another clue in this is that one of the
>> environment variables set was:
>>
>
>Did you actually watch them exploit a vulnerability in identd? They
>easily could have broken in via another means, and then patched
>inetd, identd or even tcp wrappers to execute a shell given specific
>input( i.e. a backdoor or a trojan ).
>
>> dummy=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>
>> Which means the hole may exist in the environment variables system.
>>
>
>Did they do anything with this variable? like possibly execute another
>command with $dummy as a command line argument?
>
In any case I would recommend that you more strictly control access to you
inetd services that you require using tcpwrapper which come standard with
RedHat. Tcp wrappers will also increase your logging capability for these
type of exploits...
You can then set up your /etc/hosts.allow to only allow those machine to
which you are certain are okay to access those services which may be
exploited.
eg. identd, time services, old version of imapd, and pop3d etc.
For info on tcpwrappers see the man pages on
tcpd
hosts.allow
I good place to watch for thse types of standard exploits and what to do
about them can be found on the Linux-Security mail list and the more
general BugTraq mail list.
http://www.redhat.com/ (For linux-security)
http://www.geek-girl.com/bugtraq/ (For Bugtraq mail list and archives)
In fact Bugtraq is one of the best lists I have ever lurked on.
Hope this helps
Regards
Terrence
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
