From owner-freebsd-security Thu Nov 1 6:51:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from thedarkside.nl (cc31301-a.assen1.dr.nl.home.com [213.51.66.128]) by hub.freebsd.org (Postfix) with ESMTP id 199BC37B406 for ; Thu, 1 Nov 2001 06:51:20 -0800 (PST) Received: (from root@localhost) by thedarkside.nl (8.11.6/8.11.6) id fA1EpHH97529; Thu, 1 Nov 2001 15:51:17 +0100 (CET) (envelope-from g.p.de.boer@st.hanze.nl) Received: from kilmarnock.st.hanze.nl (kilmarnock [10.0.0.2]) by thedarkside.nl (8.11.6/8.11.6av) with ESMTP id fA1EpDB97521; Thu, 1 Nov 2001 15:51:13 +0100 (CET) (envelope-from g.p.de.boer@st.hanze.nl) Message-Id: <5.1.0.14.0.20011101154627.01f2e3f0@thedarkside.nl> X-Sender: 125105@pop5.st.hanze.nl X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 01 Nov 2001 15:51:11 +0100 To: Ralph Huntington , From: "G.P. de Boer" Subject: Re: strange inetd.conf entry In-Reply-To: <20011101093558.W79615-100000@mohegan.mohawk.net> References: <5.1.0.14.0.20011031211852.06278230@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 15:42 1-11-2001, Ralph Huntington wrote: >I have that sinking feeling. I discovered this line at the end of >inetd.conf on one of our servers: > >dlip stream tcp nowait root /bin/sh sh -i > >Looks like a root compromise. Sure enough, telnet'ing to the dlip port >provides what *looks* like a root shell, but I don't seem to be able to do >anything with it. Pretty mysterious. > >Can anyone offer a clue? Thanks in advance, Ralph Take the box down, do a reinstall and don't run known exploitable daemons. The shell acquired using the above line is useable. I fiddled a bit with it myself a few weeks ago when somebody reported just such a line in his inetd.conf and found out you can execute programs using "programname &". To list current directory "ls -- -la" worked iirc. Anyway.. it's a crippled shell, but only needed to say, replace sshd with a trojanned one. Hope the box wasn't really doing anything important, because it's rooted for sure. Goodluck, P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message