Subject: Re: telnetd exploit attempts.
To: Stephen M Jones <smj@cirr.com>
From: gabriel rosenkoetter <gr@eclipsed.net>
List: tech-security
Date: 09/05/2001 07:34:32
--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Sep 04, 2001 at 08:00:15PM -0500, Stephen M Jones wrote:
> I applied the telnetd patch, built it and installed
> it before cutting over from the old platform. Recently
> (the past few days .. probably because of the "unpublished
> proprietary source code" leak) I've noticed a telnetd.core
> file showing up in /=20
Which "telnetd patch"? How did you apply it? What do the cores say
killed telnetd? (Did you build it with debugging symbols on? If so,
trace it back with gdb.)
> I've also noticed telnetd attempting to eat up CPU time and
> I suspect those are break in attemptees.
What makes you so sure your system has not already been compromised?
> I went ahead and compiled the leaked "unpublished proprietary
> source code" to test it out .. it ran fine, but didn't=20
> produce a telnetd.core nor did it allow root access.
That doesn't prove much. The code would have to be modified to work
for NetBSD's syscalls. (And probably modified further to match where
things live in your custom kernel.)
> Before I close, I'd just like to say I don't want to start
> a thread on why I should not allow telnet connections. I
> know telnet is not secure, et cetera ..=20
That's easy enough to respect. (It's just that you won't find very
many people using telnetd in tech-security. ;^>)
> NetBSD sdf 1.5.1 NetBSD 1.5.1 (SDF) #0: Thu Aug 30 01:32:53 UTC 2001 alpha
Presuming you're not, have you considered upgrading to the most
recent -release source? (Do a cvs update -r netbsd-1-5 on your
local source tree.) Though the patch you applied may not have meshed
quite right with virgin 1.5.1 (not exactly our most bug-free
release), the most recent (theoretically releasable) source in the
tree should work correctly.
Oh, and if you were trying to hide which "high profile public access
machine" you administer, that sort of gave it away. At least to me.
;^>
Presuming NetBSD works out for you, it'd be cool to see a DaemonNews
story or something on the switch over.
--=20
~ g r @ eclipsed.net
--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE7lg3G9ehacAz5CRoRAlSdAJ9yZK7cRItU2urmPI0XAMtqSW3EGQCdGkZ+
UVmxzSIbw5yB0Zp3yRQu+tE=
=znCi
-----END PGP SIGNATURE-----
--IJpNTDwzlM2Ie8A6--