Sucks to be me!
I am using a Red Hat 5.0 system with (as far as I know) all the errata
applied, so this doesn't bode well for Red Hat security in general. :)
I am using kernel 2.0.34pre11b, so I can't absolutely rule out the
possibility of a kernel bug. However I think it's unlikely since 2.0.34
FIXES security bugs, not introduces them; there haven't been any security
related bugs in 11b that I am aware of.
Based on my inspection so far, the hole appears to be in in in.telnetd.
This is because the ps aufx command shows a tree like this:
in.telnetd
\_ in.telnetd
| \_ sh -i
| \_ lots of evil stuff
\_ in.telnetd
\_ sh -i
\_ more evil stuff
None of those processes had a controlling terminal.
This strikes me odd, because I can't think of any reason whatsoever that
telnetd would spawn another telnetd. Originally I thought that Bad Guy
logged in, did something evil to telnetd, then logged out, leaving his
original telnetd to inherit the one that he used to break in, and the
shells and friends it spawned. Then I reasoned that telnetd isn't suid
root, which confused the issue and made this seem unlikely.
I'm currently going through the RPM database, what remains of the logs,
etc. looking for more clues.
The second-tier telnetd's appear, from their entries in /proc, to have
been spawned as ./ commands, so who knows what they really are.
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
