Getting root access on vsnl / dot server is trivial.
Coming out of restricted shell is pretty easy on most of the server. Then
there are 'n' number of suid program which can be exploited to get root
access. I have written many mail to these server admin. But I am not able to
convince these people.
Secondly the stopping of shell access works only with the dial up line. If
you login to gias server (e.g. giasbm01) with user guest and password
gias123 then you can go to any server and get shell prompt. I really wonder
why they can't simply put shell as false in passwd file to disallow shell
login.
Last year when I pointed my browser on port 8081 of one of the dot server I
received a beautiful server administration menu without authentication
similar to linuxconf) with root access. I promptly intimated the concern
person. He took more than month to close the hole.
With this scenario we are talking of entering in to e-commerce?
Best Regards,
M.S.Deshmukh,
Director.
Beta Computronics Pvt. Ltd.
Web Site - http://betacomp.com
>Last year arround Oct-Nov one fine mornin' I was playin' with Telnet. I was
>experimentin' on cal2 server of VSNL. As it is it was hackneyed. Then I
>tried FTP on cal2, which I never did. I got root access. I came out without
>any exploytation. Then after I did the same thing for 'bout 10 times for
2-3
>months. After that one day I along with my friends got a System Privilage
>saying VSNL is closin' all its shell accounts with telnet access. I don't
>know whether it was corelated but the fact is VSNL didn't check its Log for
>for at least 3 months. I've NT & *nix Pass Crackin' utilities, with the
>help of that I can get the passes. I was ashamed thinkin' our leadin' ISP's
>system config was so poor. I did the same thin' with many other servers.
-----------------------------------------------------------------------
The LIH mailing list archives are available at:
http://lists.linux-india.org/cgi-bin/wilma/linux-india-help
