[ale] cracked via mountd
Bob's ALE Mail
transam at cavu.com
Thu Jan 7 20:44:03 EST 1999
Someone I know (who shall remain anonymous) and who is very knowledgeable
in Linux, got hacked on 1/1/99. They seem to have broken in via mountd
using some software they found on the internet. (They didn't seem very
sharp.)
All of the systems with RH 5.1 mountd got cracked this way. The RH 5.2
systems and a RH 5.1 system with RH 5.2 mountd did NOT get cracked, though
firewall logs showed they tried the same attack on these latter systems too.
They seem to have flooded a buffer to accomplish this, left a dummy root
account called "moof" at the bottom of the /etc/passwd file, and fiddled
with /etc/exports.
I recommend turning off mountd until you can upgrade it. A RPM is available
from RH's site.
[A fellow ALEer figured all of this out. I'm just warning y'all.]
Also, two of my friends who are knowledgeable Linux types had their systems
cracked! I use tcp wrappers and have disabled unneeded daemons. I suggest
using at least sendmail 8.8.7.
Bob Toxen
bob at cavu.com http://www.cavu.com
transam at cavu.com [ALE & Linux Laptops]
Fly-By-Day Consulting, Inc.
"The bad reputation UNIX has gotten is totally undeserved, laid on by
people who don't understand, who have not gotten in there and tried
anything." -- Jim Joyce, owner of Jim Joyce's UNIX Bookstore
More information about the Ale
mailing list