> So, someone has a program that connects to the 'auth' port and overflows
> some buffer to gain a root shell. This exploit is either in inetd or
> identd (I am thinking it is in inetd, because identd is run as
> 'nobody'). If anyone would like to check out inetd for any holes,
> please do so as I am doing. Another clue in this is that one of the
> environment variables set was:
>
Did you actually watch them exploit a vulnerability in identd? They
easily could have broken in via another means, and then patched
inetd, identd or even tcp wrappers to execute a shell given specific
input( i.e. a backdoor or a trojan ).
> dummy=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> Which means the hole may exist in the environment variables system.
>
Did they do anything with this variable? like possibly execute another
command with $dummy as a command line argument?
Dave G.
--- ---
David Goldsmith [EMAIL PROTECTED]
DEC Consulting http://www.dec.net
Software Development/Internet Security http://www.dec.net/~dhg
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
