[8066] in bugtraq
Re: IRIX 6.2 passwordless accounts exploit?
daemon@ATHENA.MIT.EDU (morex .-)
Mon Sep 28 23:34:03 1998
Date: Mon, 28 Sep 1998 19:18:25 -0400
Reply-To: "morex .-" <morex@NIRVANA.NET>
From: "morex .-" <morex@NIRVANA.NET>
X-To: Dan Stromberg <strombrg@NIS.ACS.UCI.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <36100E40.5047@nis.acs.uci.edu>
I believe the script that they're using is called mscan (mass scan) and it
can be found on rootshell . I have had alot of shell users / kids running
this.
morex .-
http://morex.net
http://www.worldnetworks.net
On Mon, 28 Sep 1998, Dan Stromberg wrote:
> We've had a lot of script kiddies running an exploit against our campus,
> that checks for accounts that are passwordless by default in IRIX 6.2 -
> like 4Dgifts, EZsetup, and so on. I've seen indications this isn't
> limited to our campus...
>
> This script has been generating hoardes of syslog entries like:
>
> Sep 27 12:43:19 foo.bar login[16310]: failed: ?@warble.frob as 4Dgifts
>
> Amusingly, our suns, decs and linux machines run a fake tcpmux, so we
> have lots of somewhat clueless kiddies checking for this vulnerability
> on machines of the wrong OS :).
>
> Anyway, can anyone make this exploit available, so I don't need to
> reinvent the wheel in order to check for this myself? It'd probably be
> easy in python, but it'd be nice to have "the real thing", the script
> the kiddies are using themselves.
>
> I checked rootshell.com, queried for sgi and 4Dgifts, but nothing
> relevant popped up.
>
> I know, if I "were a white hat" I could check /etc/passwd (or
> /etc/shadow) myself. It's complicated. And I am a white hat. Besides,
> the list is full disclosure.
>
