[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] cracked via mountd
- Subject: [ale] cracked via mountd
- From: randy.dunlap at intel.com (Dunlap, Randy)
- Date: Fri, 8 Jan 1999 08:36:15 -0800
Here's a web page (Basic Host Security) that you may want
to check out. It's contents were presented at PLUG (Portland
Linux Users [or /Unix] Group] last night (which I missed).
> -----Original Message-----
> From: Bob's ALE Mail [mailto:transam at cavu.com]
> Sent: Thursday, January 07, 1999 5:44 PM
> To: ale at cc.gatech.edu
> Subject: [ale] cracked via mountd
> Someone I know (who shall remain anonymous) and who is very
> in Linux, got hacked on 1/1/99. They seem to have broken in
> via mountd
> using some software they found on the internet. (They didn't
> seem very
> All of the systems with RH 5.1 mountd got cracked this way.
> The RH 5.2
> systems and a RH 5.1 system with RH 5.2 mountd did NOT get
> cracked, though
> firewall logs showed they tried the same attack on these
> latter systems too.
> They seem to have flooded a buffer to accomplish this, left a
> dummy root
> account called "moof" at the bottom of the /etc/passwd file,
> and fiddled
> with /etc/exports.
> I recommend turning off mountd until you can upgrade it. A
> RPM is available
> from RH's site.
> [A fellow ALEer figured all of this out. I'm just warning y'all.]
> Also, two of my friends who are knowledgeable Linux types had
> their systems
> cracked! I use tcp wrappers and have disabled unneeded
> daemons. I suggest
> using at least sendmail 8.8.7.
> Bob Toxen
> bob at cavu.com http://www.cavu.com
> transam at cavu.com [ALE & Linux Laptops]
> Fly-By-Day Consulting, Inc.
> "The bad reputation UNIX has gotten is totally undeserved, laid on by
> people who don't understand, who have not gotten in there and tried
> anything." -- Jim Joyce, owner of Jim Joyce's UNIX Bookstore