On Thu, 4 Jun 1998 [EMAIL PROTECTED] wrote:
>> My utmp file has been corrupted. in.rlogind has been changed. Has
>> anyone heard of using in.rlogind as an exploit? Any ideas on how to
>> find all the damage a repair it short of reloading the system?
There might not have been a hole to exploit in in.rlogind, but after
exploiting another hole in the system, in.rlogind and other programs were
probably replaced with trojan horse versions. Offhand, I suspect anything
that might potentially see a password in the clear would be a prime
candidate for replacement. The corrupt utmp appears to stem from the fact
that the utmp struct layout is different between your system and the system
on which the trojan horse programs were compiled.
We fell victim to the recent DNS holes very shortly after switching from
BSD/OS to RH 5.0. One of the symptoms was that programs like top broke
because the utmp file format was invalid.
Look in /dev for a file called /dev/reset. There are also some other files
that are apparently data files that /dev/reset uses (/dev/pmc* or something
similar - they will be plain text files and have timestamps about the same
as /dev/reset). If you have a /dev/reset file you've almost certainly been
compromised.
I forwarded a CERT advisory to the list a few days ago. If anyone bypassed
it and would like another copy, let me know. I believe it lists all the
relevant information needed to identify this particular problem. Linux
systems are the predominant systems being attacked. The only real recovery
is to reinstall from the CD, upgrade named to either 4.9.7 or 8.1.2 and
change all your passwords. Oh, yeah, you need to go through the system and
verify that all suid-root programs are okay and check all the programs that
are executed from cron jobs or the at queue to make sure they didn't leave a
trap door for later reentry.
It was a royal pain in the ass, and as far as I've been able to tell all
they did was use our system as a jumping off point for other exploits. We
were lucky there was apparently no real attempt to damage our system.
Skip Montanaro | Musi-Cal: http://concerts.calendar.com/
[EMAIL PROTECTED] | Conference Calendar: http://conferences.calendar.com/
(518)372-5583
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
