On Thu, Jul 26, 2001 at 02:04:41PM -0400, John F. Woods wrote:
> > 'peer died' messages are generated easily by telnetting and hitting
> > Ctrl-D at the login prompt. It either means someone tried to login and
> > gave up, or someone was testing your machine.
> > In all testing of the exploit that I did, you would see a 'No such file
> > or Directory' for any attempted, or successful exploit.
> 
> Here's what I saw:
> 
> Jul 26 00:09:30 jfwhome telnetd[2617]: ttloop:  peer died: No such file or directory
> Jul 26 00:10:46 jfwhome telnetd[2626]: ttloop:  peer died: No such file or directory
> Jul 26 00:37:57 jfwhome telnetd[2846]: ttloop:  peer died: No such file or directory
> Jul 26 00:39:33 jfwhome telnetd[2847]: ttloop:  read: Connection reset by peer
> Jul 26 01:22:44 jfwhome telnetd[2627]: ttloop:  peer died: No such file or directory

Looks to me like the sk tried the exploit - and its test mode would have
claimed you were vulnerable. If this was a non-1.5, or non-i386 box, the
sk was stumped as to why the exploit failed, and decided to telnet to
the port to test it - saw the login, and did Crtl-D. Reassured that
telnet was answering, he tried the exploit again.

If this is a 1.5 i386, it's probably time to look at the system in more
detail - particularly with mtree, tripwire, etc.

> It certainly looks like the script kiddie community has jumped on this bug
> with relish.  Before this was announced, that last time I saw that message
> was April 17.

In looking at systems I have root on (and installing the patch), I
didn't find any occurrences of 'No such file...', prior to the release
of the exploit on bugtraq, but I have seen some since.

-- 
David Maxwell, david@vex.net|david@maxwell.net --> Mastery of UNIX, like
mastery of language, offers real freedom. The price of freedom is always dear,
but there's no substitute. Personally, I'd rather pay for my freedom than live
in a bitmapped, pop-up-happy dungeon like NT. - Thomas Scoville