[1826] in SIPB_Linux_Development
Edwin Foo: Re: Subject: workaround for Samba bug described by ADM
daemon@ATHENA.MIT.EDU (Kevin 'Bob' Fu)
Mon Sep 29 23:31:17 1997
To: linux-dev@MIT.EDU
Date: Mon, 29 Sep 1997 23:31:01 EDT
From: "Kevin 'Bob' Fu" <fubob@MIT.EDU>
Here are some details on the recent linux breakins.
--------
Kevin E. Fu aka Bob the BobOp Athena OLC/RCC
PGP key: finger fubob@snafu.mit.edu SIPB Member
------- Forwarded Message
Date: Mon, 29 Sep 1997 23:27:55 -0400
To: "Kevin 'Bob' Fu" <fubob@MIT.EDU>
From: Edwin Foo <efoo@MIT.EDU>
Subject: Re: Subject: workaround for Samba bug described by ADM
In-Reply-To: <199709300317.XAA18652@tiramisu.mit.edu>
References: <Your message of Mon, 29 Sep 1997 23:11:19 -0400. <9709300311.AA07480@yaz-pistachio.MIT.EDU>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Kevin, edit and/or forward to linux-dev if you feel is appropriate.
This is my summary so far.
- ------------
For another record, it appears that breakins appear not only through Samba
but through the perl suid bug on older machines as well as some sort of bug
in lpr (I have no idea why. but they seem to use it on 4.0.0 machines
exclusively). I have found a pattern in the modus operandi... seems to be
the same. Install rootkit in some location (varies), but the output of the
trojaned login binary (which doesn't know about kerberos, it appears)
invariably goes to /dev/.mang . smurf (packet sniffer) gets installed, and
then ip_masq.o get insmoded into the kernel (IP masquerade). I don't think
they know how to use it (ip_masq) though.
kvlee found them on an IRC server and listened in on their conversation for
a little while before he got kicked off -- apparently they were discussing
where to go next, and what's more interesting is that they might had a list
of vulnerable machines at MIT already -- tcpdump logs show that they never
targeted any windows boxes and always moved on to the next linux box
immediately afterwards w/o pausing. The list might have even come from MIT.
I think a announcement to urge everyone to RedHat 4.2 should be taken
seriously , but I realize that Linux-Athena 4.2 isn't out yet. Hopefully
this should be some impetus though.
later,
Edwin
- ------------------------------------------------------------------------
The FooBunny | MIT Computer Science '98 - Systems and Architecture
efoo@mit.edu | DEC Cambridge Research Lab - Parallel Computing Group
(617) 225-8826 | Residential Computing Consultant (RCC) - Next House
"Love must be sincere; Hate what is evil; cling to what is good."
- Romans 12:9 <><
- ------------------------------------------------------------------------
------- End of Forwarded Message
