RE: [SLUG] Inetd hack

Peter McCarthy Mon, 27 Dec 1999 19:09:41 -0800
this is what I got from sock...

[root@asx temp]# strings ./oldsock | more
/lib/ld-linux.so.1
libc.so.5
_DYNAMIC
execl
__environ
_init
__libc_init
environ
__fpu_control
setgid
strcmp
_fini
atexit
scanf
_GLOBAL_OFFSET_TABLE_
exit
__setfpucw
setuid
_etext
_edata
__bss_start
_end
ash0774
/bin/sh

-----Original Message-----
From: David Zverina [mailto:[EMAIL PROTECTED]]
Sent: Sunday, December 26, 1999 1:07 AM
To: Peter McCarthy; Linux Sydney [SLUG]
Subject: RE: [SLUG] Inetd hack


You can use strings utility to get a clue about what it is.

% strings /tmp/sock | more

Cheers,

Dave.

---
David Zverina
Alt Key Pty. Ltd.
http://www.altkey.com
PO Box 3121, Parramatta, 2124, Australia


> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Peter McCarthy
> Sent: Sunday, 26 December 1999 0:24
> To: Linux Sydney [SLUG]
> Subject: Re: [SLUG] Inetd hack
>
>
> It had a very current date and time stamp so I have renamed it
> and placed it
> in a temp directory, very suspect, thanx for the tip.
>
> -----Original Message-----
> From: Bernhard L�der <[EMAIL PROTECTED]>
> To: Peter McCarthy <[EMAIL PROTECTED]>
> Date: Saturday, 25 December 1999 10:54 PM
> Subject: RE: [SLUG] Inetd hack
>
>
> It is possibly a program they place in /usr/sbin. Check it.
>
> Bernhard
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Peter McCarthy
> Sent: Saturday, December 25, 1999 21:18
> To: Linux Sydney [SLUG]
> Subject: [SLUG] Inetd hack
>
> Howdy all and Merry Christmas !
>
> I recently had someone hack my system (no a big deal as I planned
> to upgrade
> it anyway).
> But what they did in attempt to leave a back door I found intriguing.
> the following lines in /etc/inetd.conf we added by my unwelcome guest.
>
> telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
> 37             stream  tcp     nowait  root    /usr/sbin/sock
> /usr/sbin/sock
>
> I'm not entirely sure what this person achieved by these line (comments
> welcome !) Is it an attempt to place a root shell on telnet port 37 ?
> And what is sock anyhow ?
>
> I suspect this person gained access to my system via ftpd, is this really
> such a security hole ?
>
> Thanx
>
> PMc
>
> --
> SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au
> To unsubscribe send email to [EMAIL PROTECTED] with
> unsubscribe in the text
>
> --
> SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au
> To unsubscribe send email to [EMAIL PROTECTED] with
> unsubscribe in the text
>

--
SLUG - Sydney Linux Users Group Mailing List - http://www.slug.org.au
To unsubscribe send email to [EMAIL PROTECTED] with
unsubscribe in the text
RE: [SLUG] Inetd hack

Reply via email to
