Re: [linux-security] Apparent SNMP remote-root vulnerability.

[Dan Reish <dreish izzy net>]

On Sat, 9 May 1998, Dan Reish wrote:

> ... but all I know (or at least strongly
> suspect) is that there's a vulnerability in Red Hat 5.0's cmu-snmp-3.4-3

Sorry, I was wrong.  It (probably) wasn't snmp.  I discovered this before
my message was approved, but I forgot to ask REW to drop the message.  So
my sig is "Dunce" for this week.

There _was_ a break-in, but after getting root, my logs were erased. 
What I was left with doesn't leave any clues about the point of entry.  I
mistook a startup message in a file other than /var/log/messages for a
missed log entry.

I don't know how useful this is, but I know my passwords aren't guessable,
and I thought I had a reasonably secure system (though I've since gone
through another round of weeding out unused daemons).  Whoever did this
has a fairly large library of vulnerabilities, since he was hopping from
one system (not all running Linux) to the next, getting root and moving on
quickly.  So ... here are the daemons and services I had running at the
time:

portmap (from portmap-4.0-7)
netplan (from plan-server-1.6.1-7)
postmaster (from postgresql-6.2.1-7)
syslogd (from sysklogd-1.3-19)
named (from bind-4.9.6-7)
xntpd from xntp3-5.91 (installed from the sources)
sshd from sshd-1.2.22 (installed from the sources) (on ports 21-23)
lpd (from lpr-0.31-1)
httpd (from apache-1.2.5-1)

>From inetd:

qmail-smtpd from qmail-1.01 (installed from the sources)
in.fingerd through tcpd (from finger-0.10-2) (tcpd from tcp_wrappers-7.6-2)
in.timed through tcpd (from intimed-1.10-5)
in.identd (from pidentd-2.7-1)
uucpd (from uucp-1.06.1-14)

--
Dunce