[ale] cracked via mountd

Dunlap, Randy randy.dunlap at intel.com
Fri Jan 8 11:36:15 EST 1999


Here's a web page (Basic Host Security) that you may want
to check out.  It's contents were presented at PLUG (Portland
Linux Users [or /Unix] Group] last night (which I missed).

http://www.paranoid.org/jan99.html

~Randy


> -----Original Message-----
> From: Bob's ALE Mail [mailto:transam at cavu.com]
> Sent: Thursday, January 07, 1999 5:44 PM
> To: ale at cc.gatech.edu
> Subject: [ale] cracked via mountd
> 
> 
> Someone I know (who shall remain anonymous) and who is very 
> knowledgeable
> in Linux, got hacked on 1/1/99.  They seem to have broken in 
> via mountd
> using some software they found on the internet.  (They didn't 
> seem very
> sharp.)
> 
> All of the systems with RH 5.1 mountd got cracked this way.  
> The RH 5.2
> systems and a RH 5.1 system with RH 5.2 mountd did NOT get 
> cracked, though
> firewall logs showed they tried the same attack on these 
> latter systems too.
> 
> They seem to have flooded a buffer to accomplish this, left a 
> dummy root
> account called "moof" at the bottom of the /etc/passwd file, 
> and fiddled
> with /etc/exports.
> 
> I recommend turning off mountd until you can upgrade it.  A 
> RPM is available
> from RH's site.
> 
> [A fellow ALEer figured all of this out.  I'm just warning y'all.]
> 
> Also, two of my friends who are knowledgeable Linux types had 
> their systems
> cracked!  I use tcp wrappers and have disabled unneeded 
> daemons.  I suggest
> using at least sendmail 8.8.7.
> 
> Bob Toxen
> bob at cavu.com http://www.cavu.com
> transam at cavu.com [ALE & Linux Laptops]
> Fly-By-Day Consulting, Inc.
> 
> "The bad reputation UNIX has gotten is totally undeserved, laid on by
> people who don't understand, who have not gotten in there and tried
> anything."  -- Jim Joyce, owner of Jim Joyce's UNIX Bookstore
> 






More information about the Ale mailing list