[1029] in linux-security and linux-alert archive
Re: [linux-security] qmail,wu.ftpd,deslogind, in.telnetsnoopd ?
daemon@ATHENA.MIT.EDU (Jonathan Larmour)
Tue Aug 20 08:23:46 1996
Date: Tue, 20 Aug 1996 12:46:56 +0100
To: "Paul D. Robertson" <proberts@clark.net>
From: Jonathan Larmour <JLarmour@origin-at.co.uk>
Cc: Frank Parato <fparato@gti.net>, linux-security@tarsier.cv.nrao.edu
At 20:19 19/08/96 -0400, Paul D. Robertson wrote:
>On Sun, 18 Aug 1996, Jonathan Larmour wrote:
>
>> Surely you must be running syslogd? There are many known problems with
>> syslogd to do with buffer overruns, and in particular if your syslogd
>> listens on the syslogd UDP port, then that could easily be the trouble.
>
>Hrm, all the exploits I've seen deal with the syslog library call, not the
>daemon, and the Linux libraries have been fixed for a while. Could you
>provide more info on the daemon problems?
Fixed for a few months, yes. Also (I think) BugTraq recently showed some
tests that meant there could still be more in syslog(d). (I'm not sure
admittedly).
I was questioning his assertion that there were no other daemons on his
system, and given its history, both syslog and syslogd are not exactly
exempt from suspicion.
As it turns out after some private e-mails, it seems almost certain that it
was the exported telnet LD_LIBRARY_PATH exploit. He found a version of
libc.so.4 in a users directory.
[REW: Funny that the actual culprit was indeed listed in that first
message. I'd have guessed that listing just a few deamons would most
likely miss the actual culprit.... :-]
Jonathan L.
Origin UK, 323 Cambridge Science Park, Cambridge, England. CB4 4WG.
Tel: +44 (1223) 423355 Fax: +44 (1223) 420724 E-mail: guess...
-------[ Do not think that every sad-eyed woman has loved and lost... ]------
-----------------------[ she may have got him. -Anon ]-----------------------
These opinions are all my own fault.