[1742] in linux-security and linux-alert archive
[linux-security] Re: Apparent SNMP remote-root vulnerability.
daemon@ATHENA.MIT.EDU (Dan Reish)
Mon May 11 03:27:13 1998
Date: Sun, 10 May 1998 17:00:43 -0400 (EDT)
From: Dan Reish <dreish@izzy.net>
In-reply-to: <Pine.LNX.3.96.980509132952.3928A-100000@dreish>
To: linux-security@redhat.com
Reply-to: Dan Reish <dreish@izzy.net>
Resent-From: linux-security@redhat.com
On Sat, 9 May 1998, Dan Reish wrote:
> ... but all I know (or at least strongly
> suspect) is that there's a vulnerability in Red Hat 5.0's cmu-snmp-3.4-3
Sorry, I was wrong. It (probably) wasn't snmp. I discovered this before
my message was approved, but I forgot to ask REW to drop the message. So
my sig is "Dunce" for this week.
There _was_ a break-in, but after getting root, my logs were erased.
What I was left with doesn't leave any clues about the point of entry. I
mistook a startup message in a file other than /var/log/messages for a
missed log entry.
I don't know how useful this is, but I know my passwords aren't guessable,
and I thought I had a reasonably secure system (though I've since gone
through another round of weeding out unused daemons). Whoever did this
has a fairly large library of vulnerabilities, since he was hopping from
one system (not all running Linux) to the next, getting root and moving on
quickly. So ... here are the daemons and services I had running at the
time:
portmap (from portmap-4.0-7)
netplan (from plan-server-1.6.1-7)
postmaster (from postgresql-6.2.1-7)
syslogd (from sysklogd-1.3-19)
named (from bind-4.9.6-7)
xntpd from xntp3-5.91 (installed from the sources)
sshd from sshd-1.2.22 (installed from the sources) (on ports 21-23)
lpd (from lpr-0.31-1)
httpd (from apache-1.2.5-1)
>From inetd:
qmail-smtpd from qmail-1.01 (installed from the sources)
in.fingerd through tcpd (from finger-0.10-2) (tcpd from tcp_wrappers-7.6-2)
in.timed through tcpd (from intimed-1.10-5)
in.identd (from pidentd-2.7-1)
uucpd (from uucp-1.06.1-14)
--
Dunce
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null