From owner-freebsd-security  Thu Nov  1  6:42:57 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21])
	by hub.freebsd.org (Postfix) with ESMTP id 243CC37B405
	for <freebsd-security@FreeBSD.ORG>; Thu,  1 Nov 2001 06:42:54 -0800 (PST)
Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21])
	by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id fA1EgmW86011
	for <freebsd-security@FreeBSD.ORG>; Thu, 1 Nov 2001 09:42:48 -0500 (EST)
Date: Thu, 1 Nov 2001 09:42:48 -0500 (EST)
From: Ralph Huntington <rjh@mohawk.net>
To: <freebsd-security@FreeBSD.ORG>
Subject: strange inetd.conf entry
In-Reply-To: <5.1.0.14.0.20011031211852.06278230@192.168.0.12>
Message-ID: <20011101093558.W79615-100000@mohegan.mohawk.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

I have that sinking feeling. I discovered this line at the end of
inetd.conf on one of our servers:

dlip        stream  tcp     nowait  root    /bin/sh sh -i

Looks like a root compromise. Sure enough, telnet'ing to the dlip port
provides what *looks* like a root shell, but I don't seem to be able to do
anything with it. Pretty mysterious.

Can anyone offer a clue? Thanks in advance,	Ralph




To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message