[29822] in North American Network Operators' Group
Re: OT: Earthlink Contact - Important Root Hacked
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Jul 7 15:58:40 2000
Message-Id: <200007071955.e67JtiS22412@black-ice.cc.vt.edu>
To: "K. Graham" <kgraham@ican.net>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Fri, 07 Jul 2000 12:46:12 PDT."
<39663384.B9F80D2E@ican.net>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-1843542448P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Fri, 07 Jul 2000 15:55:43 -0400
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-1843542448P
Content-Type: text/plain; charset=us-ascii
On Fri, 07 Jul 2000 12:46:12 PDT, "K. Graham" <kgraham@ican.net> said:
> This exploit was used on us and we would like to remove any likelihood
> of others being compromised. The exploit is in the hands of the people
> at rootshell.
Umm.. is this a *new* exploit that the rootshell people have been given, but
isn't in general circulation yet?
If it's already available at rootshell, you should assume that every script
kiddie on the planet has a copy, and start patching your systems. Unless
you've been VERY lucky and are one of the first dozen or so machines to have
been targeted by a brand-new exploit, removing the copy that's at earthlink
is just urinating into the wind.
Note - this is *NOT* saying that the Earthlink machine doesn't need cleaning
up - just that the *exploit* is almost certainly widespread enough that removal
of the one copy won't change the fact it's out there and will be used on others.
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_-1843542448P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
Comment: Exmh version 2.2 06/16/2000
iQA/AwUBOWY1vnAt5Vm009ewEQLtRACgwgv0Y5o4FTW507ujoCS0udr+4qoAoPHR
VMRn7Uvjd7NzwZUuZI2AiiRD
=qsQ2
-----END PGP SIGNATURE-----
--==_Exmh_-1843542448P--