[2933] in bugtraq
Re: identd hole?
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Tue Jul 16 12:48:25 1996
Date: Tue, 16 Jul 1996 06:10:02 -0400
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: Your message of Mon, July 15, 1996 17:57:36 -0500
"BLH" == Brett L Hawn <blh@nol.net> writes:
BLH> Lately I've heard rumours about this 'identd' hole in RFC1413,
BLH> we've seen this abused on IRC several times in recent days. Then
BLH> today I had someone claim they had the root password on my machine
BLH> at home. So I telnetted in, changed it and waited since he claimed
BLH> he was going to hack it. Apparently he did because I caught him
BLH> with a login proccess which I promptly killed, then being rather
BLH> peeved I /kill'd him on irc. This apparently pissed him off even
BLH> more so he re-hacked my machine and brought it down, at this time
BLH> I'm not even sure if it's reviveable as I've not had a chance to
BLH> check it, all I know is that its dead in the water currently. Right
BLH> after that I did a netstat -n on the machine I was on at
BLH> work. Voila.. there were about two dozen connections from his IP (I
BLH> checked) to my identd port (113). Now I'm guessing that Solaris
BLH> 2.5x86 doesn't have the same bug or I caught it in time since I saw
BLH> no adverse effects on that machine. The machine effected (and
BLH> killed) was a linux 2.0.0 machine, but I have heard of many other
BLH> machines of random type being effected in such a manner.
It's not really clear to me that 'identd' was involved in the attack on
your Linux system. The second intrusion could very well have been
accomplished via a trojan /bin/login, /usr/sbin/in.telnetd, etc., since
a previous root-level intrusion had apparently occurred. Replacing
/bin/login with a "back door password" version is a logical step #1
after cracking a box; doing this is part of some "root kits."
Also, depending upon your configuration, both the first and the
subsequent intrusions could have been done sans password using something
like the now-well-known shared-library/in.telnetd exploit; the cracker
might very well have been claiming to have your root password simply to
confuse the issue and point you in the wrong direction.
--Up.
--
Jeff Uphoff - systems/network admin. | juphoff@nrao.edu
National Radio Astronomy Observatory | juphoff@bofh.org.uk
Charlottesville, VA, USA | jeff.uphoff@linux.org
PGP key available at: http://www.cv.nrao.edu/~juphoff/
