[1226] in linux-security and linux-alert archive
Re[2]: [linux-security] Attempt to break through ftp
daemon@ATHENA.MIT.EDU (Evgeny Stambulchik)
Wed Oct 16 18:31:52 1996
From: Evgeny Stambulchik <fnevgeny@plasma-gate.weizmann.ac.il>
Date: Wed, 16 Oct 1996 18:03:24 +0200 (GMT+0200)
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199610161004.LAA09755@snowcrash.cymru.net>
Hello,
First of all, thanks alot to all who replied to me!
-------------------------------
Alan Cox <alan@cymru.net> wrote:
> Probably the old LD_LIBRARY_PATH telnetd shared library attack.
Yes, I guessed it, just didn't know which exploit source it was compiled from.
Thanks to Andrew Tridgell for reference!
> Since you
> are clued up enough to read this group I think you'll have a modern telnetd
Yes, of course I have the patched version since the first alert.
> Put that file back in /tmp on your box and check if you get
>
> %telnet
> telnet>environ define LD_PRELOAD /tmp/lininfo.zip
> telnet>environ export LD_PRELOAD
> telnet>telnet localhost
> root-access
> Welcome to the ...
However, in my case it was in ~ftp/incoming, which had mode 733 (and owned by
root). I think it would prevent the bug in old telentd to be exploited anyway,
though I don't have the buggy version at hand to check it.
[Mod: Mode 733 wouldn't have prevented exploit; inetd runs telnetd as
root. --Jeff.]
-------------------------------------------------------
Comfort is Treachery <wvdputte@reptile.rug.ac.be> wrote:
> Don't you have identd in your logs?
AFAIU, identd should be running on client's box + ftpd server must be able to
talk to it. Which ftpd has this capability?
---------------------------------------------
James Fidell <james@corp.netcom.net.uk> wrote:
> E-mail to abuse@netcom.com will get an auto-response but should get
> dealt with by the staff that handle Net abuse.
Thanks, I'll do that.
Regards,
Evgeny
BTW, it seems that there's no searchable html'ized archives of this list. That
at www.sonic.net has only year 95 partly (and glimpse search is broke). If there
is no objections, I can volounteer to do it.
--
____________________________________________________________
/ Evgeny Stambulchik <fnevgeny@plasma-gate.weizmann.ac.il> \
/ Plasma Laboratory, Weizmann Institute of Science, Israel \ \
| Phone : (972)8-934-3610 == | == FAX : (972)8-934-3491 | |
| URL : http://plasma-gate.weizmann.ac.il/~fnevgeny/ | |
| Finger for PGP key >=====================================+ |
|______________________________________________________________|