[1262] in linux-security and linux-alert archive
[linux-security] Linux and lpd
daemon@ATHENA.MIT.EDU (John Fulmer)
Thu Oct 24 20:07:29 1996
Date: Sun, 20 Oct 1996 16:53:22 -0500
From: John Fulmer <jfulmer@blanket.com>
To: linux-security@tarsier.cv.nrao.edu
Does anyone know of a hack against lpr/lpd on Slackware 3.0? Someone
rewrote the password file on a server I deal with occasionally, and the
only real traces are a file called '1' in the /etc directory, which
contains the password file + three additional accounts. Then there is a
file called passwd.3, which is another copy of the passwd file. Both
files are owned by root and group lp.
The person had origionally ftp'ed down the password file, by either
cracking a users password, or just got it somehow, Then he cracked a
user with a shell account with a weak password (his first name!!!) and
got onto the system. We're now trying to find out how he replaced the
passwd file. Note that we did not lose root afaik.
The account was cracked from an account from singapore owned by a
Japindar Singh. He also created a Jenny Lee, and a Datacom, Inc
account. Apparently he just wanted them to run a couple of irc bots.
jf
--
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ John Fulmer | "As folks might have suspected, +
+ Secure Network System | not much survives except roaches, +
+ Lawrence, Kansas | and they don't carry large enough +
+ | packets fast enough..." +
+ jfulmer@blanket.com | --Dave Crocker, about the +
+ http://www.blanket.com | Internet and nuclear war. +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++