[21758] in North American Network Operators' Group
Re: Exodus: this is bad
daemon@ATHENA.MIT.EDU (Alex P. Rudnev)
Thu Nov 19 08:04:30 1998
Date: Thu, 19 Nov 1998 14:40:58 +0300 (MSK)
From: "Alex P. Rudnev" <alex@Relcom.EU.net>
To: Michael Shields <shields@msrl.com>
cc: "Steven J. Sobol" <sjsobol@nacs.net>, Richard Irving <rirving@onecall.net>,
Jared Mauch <jared@puck.nether.net>,
Adam Rothschild <asr@millburn.net>, list@inet-access.net,
nanog@merit.edu
In-Reply-To: <g6emr0ofs3.fsf@aluminum.crosslink.net>
Not only...
But there is a lot of brainless schoolboys who are trying to use just
this 'imapd' exploit and (due to the number of them) trojaned a lot of
computers over the world. It's amazing but I saw few times the stack of
trojans installed one over another.
To be correct, there is a lot of _really used_ ways to broke the system.
The best (and easiest) was 'imapd' and 'qpopper' exploits (you simple run
scanner and it detects this services, then you run exploit and it reports
_you are root, go on_, then you ftp 'lrk3' or 'lrkb' or 'root_toolkit'
and install it.
Other way is to use sniffered accounts for the user access, and they you
have a lot of exploits to get root; the most popular are 'lprm' and 'X11'
exploits for linux, loadmodule and ufsrestore for Solaris and SunOS.
If you had not this security holes, it does not mean you was broken, but
your chance to be brocen decreases from 30% (for linux with IMAPD) to 1 -
2 % (for other holes).
I am not sure about BIND but I saw bind scanning and some logs looked
like:
ns.xxx.yyy volurentable
....
ns.zz.ww not volurentable
and I suspect someone have tried to use BIND's bugs too.
On 18 Nov 1998, Michael Shields wrote:
> Date: 18 Nov 1998 21:25:18 +0000
> From: Michael Shields <shields@msrl.com>
> To: "Steven J. Sobol" <sjsobol@nacs.net>
> Cc: "Alex P. Rudnev" <alex@Relcom.EU.net>,
> Richard Irving <rirving@onecall.net>,
> Jared Mauch <jared@puck.nether.net>,
> Adam Rothschild <asr@millburn.net>, list@inet-access.net,
> nanog@merit.edu
> Subject: Re: Exodus: this is bad
>
> In article <19981118150133.28606@shell.nacs.net>,
> "Steven J. Sobol" <sjsobol@nacs.net> wrote:
> > On Tue, Nov 17, 1998 at 02:14:53PM +0300, Alex P. Rudnev wrote:
> > > Folks. All (ALL) Linux-based NS servers
> >
> > even running bind 8.1.2?
>
> Yes, if, as his message continued in the part deleted, you are running
> an unpatched imapd on the same machine.
> --
> Shields.
>
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)
