Apparent SNMP remote-root vulnerability.

[Dan Reish <dreish izzy net>]

I just had a remote root break-in on my machine (x86 running Red Hat Linux
5.0 with all the updates except for kernel-2.0.32-3) this morning at
06:03:28 EDT.  From what I've been able to gather, it appears to have been
through snmpd, which I missed when I was weeding out unused daemons.

Sorry for the feeble message, but all I know (or at least strongly
suspect) is that there's a vulnerability in Red Hat 5.0's cmu-snmp-3.4-3
when configured as shipped. I have a combination birthday/Mother's Day
party to get to, so I can't do much more investigating.

(In case anyone else has any similar experiences, connections were from
southshore.com and shell.dhp.com.  Someone from dionysus.publib.nf.ca did
a port scan of my machine on April 27 at 5 a.m. EDT.)

If this turns out to be a simple misconfiguration, then I'm an idiot for
posting this, but it should still not be possible to open up a system to
remote root access simply by installing a standard RPM.

--
Dan