From owner-freebsd-security Mon Nov 27 8:14: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from rly-ip01.mx.aol.com (rly-ip01.mx.aol.com [205.188.156.49]) by hub.freebsd.org (Postfix) with ESMTP id 913E537B479 for ; Mon, 27 Nov 2000 08:14:01 -0800 (PST) Received: from tot-wi.proxy.aol.com (tot-wi.proxy.aol.com [205.188.197.1]) by rly-ip01.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id LAA06250; Mon, 27 Nov 2000 11:13:42 -0500 (EST) Received: from pavilion (AC86C1F9.ipt.aol.com [172.134.193.249]) by tot-wi.proxy.aol.com (8.10.0/8.10.0) with SMTP id eARGDeR15071; Mon, 27 Nov 2000 11:13:40 -0500 (EST) Message-ID: <000b01c0588d$0138b320$0101a8c0@pavilion> From: "Richard Ward" To: Cc: "Peter Pentchev" References: <028e01c0586d$fb1c7680$0101a8c0@pavilion> <20001127144953.C420@ringworld.oblivion.bg> Subject: Re: *login Date: Mon, 27 Nov 2000 11:13:38 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 X-Apparently-From: Nis8840@aol.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I saw the login running with the -h option for long periods of times on numerous ip addresses, but not with "high risk" host names (dialup, aol, etc) None of which I can recognize as a regular user's host name, maybe someone who is trying to login with telnet/ssh unsuccessfully? Recently a FreeBSD 4.1.1-STABLE box that I administrate was exploited via the default ports package's named 8.2.3-T5B which according to many I have talked with is not exploitable with the 4.1.1-STABLE release. Since I run bind with userid/groupid "bind", a non-privileged user, the "hacker" was only able to add absurd messages to my named.conf, causing named to fail when reading the conf file and not start back up. I checked www.isc.org's website and found an upgrade from T5B to T6B saying quote "infamous "munnari" bug suite fixed". Could this be the bug that was exploited in my case? Are there any patches or port upgrades to fix an exploitable named 8.2.3-T5B that might be included in T6B? Thanks. -- Richard Ward "sleep deprived and caffeine-empowered" ----- Original Message ----- From: Peter Pentchev To: Richard Ward Cc: Sent: Monday, November 27, 2000 7:49 AM Subject: Re: *login > On Mon, Nov 27, 2000 at 07:31:31AM -0500, Richard Ward wrote: > > Hello, > > I'm wondering what program would use root to execute 'login -h -p". I've noticed every now and then that it would be running as root, and as a regular user, you cannot use the -h option. What exactly could be going on? I only run telnet and ssh1 as remote login daemons. Does telnet or ssh1 require this login command to be executed certain times or randomly? I have both telnet and ssh clients chmod 700, so a regular user won't be able to remotely login from my computer... > > Both /usr/libexec/telnetd and the OpenSSH sshd start login with a -h option. > However, it is next to impossible (or at least very, very improbable) to feed > fake hostnames to either of them - SSH as a whole is notoriously picky as to > DNS-resolving hostnames and such, and I've just checked the telnetd source > in 4.2-STABLE - it accepts no data from the client, but tries to resolve > the hostname both ways using realhostname_sa(3). So, both telnetd and sshd > only record (and pass to login) the real client hostname. > > Have you been seeing actual login processes on your system, running with > a weird -h command-line option, or do you base your judgement on utmp/wtmp > records? If it is utmp/wtmp records, there might be other candidates for > writing bad info there - X terminals come to mind immediately, PAM might > also be involved in some way, and there certainly are other possibilities. > > G'luck, > Peter > > -- > This sentence contradicts itself - or rather - well, no, actually it doesn't! > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message