[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Re: RedHat compromise
From:       Jim Roland <jroland () ROLAND ! NET>
Date:       2001-02-23 21:30:31
[Download RAW message or body]

Yes, on that port, I did get the usual telnet banner and login prompt.  I
was unable to login with a usable account though.  Console access worked
fine though (probably because it was using mingetty instead of
in.telnetd/tcpd.


----- Original Message -----
From: "Andreas Östling" <andreaso@it.su.se>
To: <INCIDENTS@SECURITYFOCUS.COM>
Sent: Friday, February 23, 2001 8:30 AM
Subject: Re: RedHat compromise


> On Monday 19 February 2001 22:43, Jim Roland wrote:
> ...
> > From the remote network, I am able to telnet to port 54321 and get a
telnet
> > prompt on the box.  Further investigation shows that all TCP connections
> are denied.
> ...
> I guess you just saw the telnet banner and not the actual login prompt?
> If TERM is set to "owned" you get in as root without any password when
> telneting to port 54321 (/bin/login is modified this way).
> When /bin/login is called and TERM is not set to "owned", it calls
> /usr/sbin/xcat (which is suid root) with "login" as argument, which calls
> itself with "login" as argument. This will however make xcat call itself
> again, and again, and again...
> I'm not sure why it does that, but it may explain why the host I analyzed
had
> a ~50,~50,~50 load average and a huge amount of xcat processes running.
> If /usr/sbin/xcat is called and TERM is set to "nigwarsh" you will instead
> get a shell.
>
> Regards,
> Andreas Östling
>

[prev in list] [next in list] [prev in thread] [next in thread]