My message was not clear. We did not mount /etc writable. The hacker sent a a long packet which we think overflowed buffer and caused /etc to be mounted writable.
The bug is real, and Debian has a fix. See security lists in Debian. If you are running Debian 2.0 you might have a security hole. There was also security problems with bind. The fixes appear in the current distributions (2.0.2 I think) not in package-updates. King Lee On Fri, 23 Oct 1998, M.C. Vernkon wrote: > > > At our school our system administrator (who is very good) was > > running Red Hat 5.1 and someone broke in and got root privileges. > > Since he had written a Lan watch, we think we know how it happened. > > > > The Lan Watch showed someone form Israel send a very long > > packet to mountd. Shortly after, two names were added to > > the password file with user id 0. We suspect that > > /etc was NFS mounted with write permission. Afterwards > > there were logins from the two added names and rsh was changed. > > mounting anything NFS with write permission is just plain stupid. > > Matthew > > -- > Elen sila lumenn' omentielvo > > Steward of the Cambridge Tolkien Society > Selwyn College Computer Support > http://www.geocities.com/Area51/Chamber/8841/ > http://www.cam.ac.uk/CambUniv/Societies/tolkien/ > http://pick.sel.cam.ac.uk/ > >