Subject: Re: the telnet vulnerability - is it actually fixed?
To: John F. Woods <jfw@jfwhome.funhouse.com>
From: David Maxwell <david@vex.net>
List: current-users
Date: 07/26/2001 13:12:55
On Thu, Jul 26, 2001 at 12:34:36AM -0400, John F. Woods wrote:
> Like everyone else, it seems (:-), I did a rebuild today to make sure I have
> the telnet daemon fix to address the recent security advisory.  Yet I just
> saw two "ttloop: peer died" messages a few minutes ago.  I did a cvs update
> this morning, libexec/telnetd contains a bunch of files modified today, and
> telnetd has been rebuilt from those sources.  Does the exploit attempt still
> kill telnetd, or is the fix insufficient?
> 
> Thank goodness I installed tripwire today, too...

'peer died' messages are generated easily by telnetting and hitting
Ctrl-D at the login prompt. It either means someone tried to login and
gave up, or someone was testing your machine.

In all testing of the exploit that I did, you would see a 'No such file
or Directory' for any attempted, or successful exploit.

(Of course, after a successful exploit, the intruder can clean that out
of the logs...)

-- 
David Maxwell, david@vex.net|david@maxwell.net -->
All this stuff in twice the space would only look half as bad!
					      - me