Subject: Re: telnetd exploit attempts.
To: gabriel rosenkoetter <gr@eclipsed.net>
From: Stephen M Jones <smj@cirr.com>
List: tech-security
Date: 09/05/2001 16:48:37
Andrew Brown wrote:
> i imagine there's at least an order of magnitude of difference between
> the commonality of i386 exploits and sparc exploits, with exploits for
> other architectures falling (at least) another order of magnitude
> below that.
That is true and I understand that that 'unpublished proprietary source'
that made its way out was targetting ix86 machines. I'm being cautious
as right now there are about 107 telnetd processes running and 84 sshd.
Its going that way and ultimately I'd like to cut out ftpd as well and
just teach folks the magic of ssh and scp. Honestly, it was intended
and it just takes a little documentation, and something listening on
ports 21 and 23 to inform folks of what they need to do.
GR wrote:
> Which "telnetd patch"? How did you apply it? What do the cores say
> killed telnetd? (Did you build it with debugging symbols on? If so,
> trace it back with gdb.)
SA2001-012, applied to the source tree telnetd, I've not built it with
debugging symbols on, but will do so now. Monitoring logs I've seen
about 158 ttloop: peer died: No such file or directory over the past
two days.
> What makes you so sure your system has not already been compromised?
I'm not excessively paranoid about it. Its a public system, I back
everything up and I don't put (my own) critical files on it. I do
monitor file changes, new setuids across the farm .. but other than
that, I don't stress over it.
> Presuming you're not, have you considered upgrading to the most
> recent -release source? (Do a cvs update -r netbsd-1-5 on your
> local source tree.) Though the patch you applied may not have meshed
> quite right with virgin 1.5.1 (not exactly our most bug-free
> release), the most recent (theoretically releasable) source in the
> tree should work correctly.
I do have the source tree (minus the kernel) checked out and updated
automatically .. Its not build without me doing it though. Honestly,
I'm not really interested in having a production machine track current
beyond userlandish stuff).
> Oh, and if you were trying to hide which "high profile public access
> machine" you administer, that sort of gave it away. At least to me.
> ;^>
Well, I didn't want to make it too blatantly obvious.
> Presuming NetBSD works out for you, it'd be cool to see a DaemonNews
> story or something on the switch over.
By hook or by crook .. it will. I worked for a developer who worked on
NetBSD ports .. he got me interested with it all in 1994. I started
running a private machine (which moved off of SystemV at that time) and
its run without any major problems (though a drive died once). My
desktop at work has run NetBSD since I got here. I did try moving to
NetBSD in 1997, but ran into the inefficiencies with the pwd_mkdb code
hashing databases for 10-15 thousand users. These problems still
exist, but I got around them by tweaking HASHINFO which got it down to
about 20 seconds to build a new pwd.db & spwd.db for 30 thousand users ..
what made that reasonable was to throw it all into an MFS .. it now
builds the databases (which are built at boot time so the machine comes
up sanely) in memory. but I digress! If I get a core dump from newly
built telnetd with debugging turned on that has info, I'll post that.
smj