Is this a New kind of DNS Breakin....
Martin McCormick
martin at dc.cis.okstate.edu
Mon Dec 13 17:02:29 UTC 1999
Pandelis Papanikolaoy writes:
>closer examination I found 1 "inetd" envoking a program called
>"/tmp/bob" When I looked there WAS a /tmp/bob and all that this thing
>contained was the single line of text
>
>/bin/sh sh -i
It was most likely nfs or one of the other remote procedure
calls (rpc)'s that was exploited via a buffer overflow and not your
dns. We recently found a string of systems on our campus that had
been cracked in this way (bob and all). We also saw something called
identd (not inetd). I think identd is put in the same directory as
inetd, but I don't remember for sure.
This appears to be what's called a "root kit" in which
crackers bang on statd, nfs, rexec, or anything else that is turned on
and, after causing it to crash via the buffer overflow trick, their
script installs the root shell and they're off and running. They own
your system.
As root, they can do what they please. The ones we had here
and possibly the one you have there was used as a method for
installing an IRC anonymiser as if IRC needed to become even more
crazy than it already is. You should assume the worst and tighten
things up as much as possible and also monitor as much as you can.
The one here that I heard about had a capture program as
someone on this list already stated. This capture grabbed user ID's
and passwords so you need to make everybody change their passwords now
after, of course, cleaning bob's account and toies off of all the
systems.
bob also has a few brothers and sisters around so look for
similar patterns and not necessarily the same names all the time.
Martin McCormick WB5AGZ Stillwater, OK
OSU Center for Computing and Information Services Data Communications Group
More information about the bind-users
mailing list