[1743] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: Re: Apparent SNMP remote-root vulnerability.

daemon@ATHENA.MIT.EDU (Chris Evans)
Tue May 12 01:10:41 1998

Date: Mon, 11 May 1998 16:41:34 +0100 (BST)
From: Chris Evans <chris@ferret.lmh.ox.ac.uk>
In-reply-to: <Pine.LNX.3.96.980510162007.508C-100000@dreish>
To: Dan Reish <dreish@izzy.net>
Cc: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com


On Sun, 10 May 1998, Dan Reish wrote:

[re: hacked into]

Dan, firstly, if you haven't touched the compromised system much, do a
"dd" across the raw disk and grep it for log fragments. I have seen vital
erased logs recovered this way before!

> netplan (from plan-server-1.6.1-7)

Suspect, what's this?

> postmaster (from postgresql-6.2.1-7)

In the changes from 6.2.1 -> 6.3.2, "buffer overflows" are mentioned. I
haven't investigated (yet), but this would be something to look into if
you have postgresql listening on an external inet socket.

local->root is a fairly easy step compared with getting a shell from
remotely.

> xntpd from xntp3-5.91 (installed from the sources)

Suspicious. Has it ever been audited?

> sshd from sshd-1.2.22 (installed from the sources) (on ports 21-23)

Anyone know how thoroughly audited sshd is?

> uucpd (from uucp-1.06.1-14)

OpenBSD recently found a buffer overflow in this daemon. Do we share the
same problem/common source base? Another thing to look into.

Cheers
Chris

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post