FW: [ale] cracked via mountd
Dunlap, Randy
randy.dunlap at intel.com
Fri Jan 8 11:38:00 EST 1999
Here's a web page (Basic Host Security) that you may want
to check out. It's contents were presented at PLUG (Portland
Linux Users [or /Unix] Group] last night (which I missed).
http://www.paranoid.org/jan99.html
~Randy
> -----Original Message-----
> From: Bob's ALE Mail [mailto:transam at cavu.com]
> Sent: Thursday, January 07, 1999 5:44 PM
> To: ale at cc.gatech.edu
> Subject: [ale] cracked via mountd
>
>
> Someone I know (who shall remain anonymous) and who is very
> knowledgeable
> in Linux, got hacked on 1/1/99. They seem to have broken in
> via mountd
> using some software they found on the internet. (They didn't
> seem very
> sharp.)
>
> All of the systems with RH 5.1 mountd got cracked this way.
> The RH 5.2
> systems and a RH 5.1 system with RH 5.2 mountd did NOT get
> cracked, though
> firewall logs showed they tried the same attack on these
> latter systems too.
>
> They seem to have flooded a buffer to accomplish this, left a
> dummy root
> account called "moof" at the bottom of the /etc/passwd file,
> and fiddled
> with /etc/exports.
>
> I recommend turning off mountd until you can upgrade it. A
> RPM is available
> from RH's site.
>
> [A fellow ALEer figured all of this out. I'm just warning y'all.]
>
> Also, two of my friends who are knowledgeable Linux types had
> their systems
> cracked! I use tcp wrappers and have disabled unneeded
> daemons. I suggest
> using at least sendmail 8.8.7.
>
> Bob Toxen
> bob at cavu.com http://www.cavu.com
> transam at cavu.com [ALE & Linux Laptops]
> Fly-By-Day Consulting, Inc.
>
> "The bad reputation UNIX has gotten is totally undeserved, laid on by
> people who don't understand, who have not gotten in there and tried
> anything." -- Jim Joyce, owner of Jim Joyce's UNIX Bookstore
>
More information about the Ale
mailing list