Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 5 May 1999 00:32:13 +0200 (CEST)
From:      "Michael C. Vergallen" <mvergall@mail.double-barrel.be>
To:        Tim Priebe <tim@iafrica.com.na>
Cc:        Greg Quinlan <greg@qmpgmc.ac.uk>, freebsd-stable@FreeBSD.ORG, security@FreeBSD.ORG
Subject:   Re: FreeBSD 3.1 remote reboot exploit (fwd)
Message-ID:  <Pine.LNX.4.04.9905050025440.6081-100000@ws3.double-barrel.be>
In-Reply-To: <372F7025.7081@iafrica.com.na>

next in thread | previous in thread | raw e-mail | index | archive | help
I don't see how this can be a exploit if you have /etc/hosts.deny and
/etc/hosts.allow set up correctly and dont allow rcmd commands on your
system..I tried to remotely reboot my ftp server here and no it does not
work on that machine and I also tried on my gateway machine and no luck
there either. Now I will try my print server but I first have to upgrade
that box to 3.1 ...However on my network I see more and more poeple
scanning with a portscanner so I supose I better keep a look out for
strange items in my log files.

Michael
---
Michael C. Vergallen A.k.A. Mad Mike, 
Sportstraat 28			http://www.double-barrel.be/mvergall/
B 9000 Gent			ftp://ftp.double-barrel.be/pub/linux/
Belgium				tel : 32-9-2227764 Fax : 32-9-2224976
			
On Wed, 5 May 1999, Tim Priebe wrote:

> I saw such behavior Sunday when trying to implement a new firewall. The
> system would repeatedly panic with a trap 12. This would happen
> immediatelly after the login prompt appeared after the previous panic.
> The system would be stable, if I removed the first ethernet cable, plug
> the cable back in, and a short while later it would start over again.
> It was late, and we had to get the system working again, so we restored
> to the previous system. I have some information logged for packets at
> the time. I will check this and try to reproduce after I finish the
> course I am on this week.
> 
> Tim.
> 
> Greg Quinlan wrote:
> > 
> > This sounds so.. so very familiar!!
> > 
> > I have been the target of exploits before......
> > 
> > The exact same thing I have been experiencing........but not for about 5
> > days now!
> > 
> > I'm not convinced its a pure exploit.. (i.e. a program specifically written
> > for the purpose)
> > 
> > Greg
> > 
> > -----Original Message-----
> > From: Karl Denninger <karl@Denninger.Net>
> > To: chris@calldei.com <chris@calldei.com>; Jordan K. Hubbard
> > <jkh@zippy.cdrom.com>
> > Cc: Mike Smith <mike@smith.net.au>; Seth <seth@freebie.dp.ny.frb.org>;
> > freebsd-stable@FreeBSD.ORG <freebsd-stable@FreeBSD.ORG>;
> > security@FreeBSD.ORG <security@FreeBSD.ORG>; jamie@exodus.net
> > <jamie@exodus.net>
> > Date: 04 May 1999 05:20
> > Subject: Re: FreeBSD 3.1 remote reboot exploit (fwd)
> > 
> > >On Mon, May 03, 1999 at 10:51:32PM -0500, Chris Costello wrote:
> > >> On Mon, May 3, 1999, Jordan K. Hubbard wrote:
> > >> > > I have to say that Jamie really let us down by not running a raw
> > >> > > tcpdump alongside the second targetted machine here.  Any chance of
> > >> > > provoking these people into "demonstrating" the exploit on a machine,
> > >> > > while another connected to the same wire is running
> > >> >
> > >> > I'd say he or whomever first reported this to bugtraq let us down even
> > >> > more by releasing an "advisory" in such an unknown and unverifyable
> > >> > state.  By doing so, all they've done is hand ammunition to the FUD
> > >> > corps and given us no reasonable chance to respond since the advisory
> > >>
> > >>    I get the impression that that was the whole point of the
> > >> bugtraq post, to give us more grief.
> > >
> > >Ding!
> > >
> > >Give that man a cigar.
> > >
> > >Anyone who saw this done to one machine and didn't *immediately* configure
> > >machine #2 to trap and trace on the second instance deserves raspberries -
> > >at a minimum.
> > >
> > >Its one thing to have it done "anyonmously" (among other things you might
> > >not be there when it goes "boom" under those conditions!)  Its another to
> > >have it done under controlled conditions and neither get an explanantion
> > >OR trap the condition that caused it yourself with a tcpdump trace.
> > >
> > >--
> > >--
> > >Karl Denninger (karl@denninger.net)  Web: fathers.denninger.net
> > >I ain't even *authorized* to speak for anyone other than myself, so give
> > >up now on trying to associate my words with any particular organization.
> > >
> > >
> > >To Unsubscribe: send mail to majordomo@FreeBSD.org
> > >with "unsubscribe freebsd-security" in the body of the message
> > >
> > 
> > To Unsubscribe: send mail to majordomo@FreeBSD.org
> > with "unsubscribe freebsd-security" in the body of the message
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
> 



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.04.9905050025440.6081-100000>