[17] in Security FYI
Re: new security hole found in amd program
daemon@ATHENA.MIT.EDU (Eric Prud'hommeaux)
Tue Aug 24 23:29:28 1999
Date: Tue, 24 Aug 1999 23:29:11 -0400
From: "Eric Prud'hommeaux" <eric@w3.org>
To: net-security@MIT.EDU
Cc: security-fyi@MIT.EDU
Message-Id: <19990824232911.A3430@w3.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
In-Reply-To: <199908250033.UAA05321@the-oz.mit.edu>
On Tue, Aug 24, 1999 at 08:33:21PM -0400, mhpower@MIT.EDU wrote:
> A security problem has recently been found in the Unix amd (automount
> daemon) -- the problem can allow intruders to break in to your
> computer remotely, gaining root access immediately in most cases.
> Intruders have been exploiting this vulnerability actively this week
> to break into MIT computers, particularly ones running Red Hat Linux.
> If there is an amd program running on your computer, you should kill
> the process now in order to avoid remote root compromise. The web page
>
> http://web.mit.edu/net-security/www/fyi/fyi-1999-004-amd.html
>
> describes how to kill the process, and contains other information
> related to the issue and the possibility of software patches.
>
> Matt Power
> Network Security team, MIT Information Systems
in the Redhat instructions, it says to:
rm /etc/rc.d/rc[0-9].d/S[0-9][0-9]amd
This will leave the rpm database in an uninformed state. I believe it
would be better to:
rpm -e am-utils
The admins may also:
# /sbin/chkconfig --list amd
amd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
All "off"s inidicate that it wouldn't run (although it may well be
worth removing anyways).
--
-eric
(eric@w3.org)