[1743] in linux-security and linux-alert archive
[linux-security] Re: Re: Apparent SNMP remote-root vulnerability.
daemon@ATHENA.MIT.EDU (Chris Evans)
Tue May 12 01:10:41 1998
Date: Mon, 11 May 1998 16:41:34 +0100 (BST)
From: Chris Evans <chris@ferret.lmh.ox.ac.uk>
In-reply-to: <Pine.LNX.3.96.980510162007.508C-100000@dreish>
To: Dan Reish <dreish@izzy.net>
Cc: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com
On Sun, 10 May 1998, Dan Reish wrote:
[re: hacked into]
Dan, firstly, if you haven't touched the compromised system much, do a
"dd" across the raw disk and grep it for log fragments. I have seen vital
erased logs recovered this way before!
> netplan (from plan-server-1.6.1-7)
Suspect, what's this?
> postmaster (from postgresql-6.2.1-7)
In the changes from 6.2.1 -> 6.3.2, "buffer overflows" are mentioned. I
haven't investigated (yet), but this would be something to look into if
you have postgresql listening on an external inet socket.
local->root is a fairly easy step compared with getting a shell from
remotely.
> xntpd from xntp3-5.91 (installed from the sources)
Suspicious. Has it ever been audited?
> sshd from sshd-1.2.22 (installed from the sources) (on ports 21-23)
Anyone know how thoroughly audited sshd is?
> uucpd (from uucp-1.06.1-14)
OpenBSD recently found a buffer overflow in this daemon. Do we share the
same problem/common source base? Another thing to look into.
Cheers
Chris
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe: mail -s unsubscribe test-list-request@redhat.com < /dev/null