From: Damon Atkins (Damon.Atkins@nabaus.com.au)
Date: 09/29/98-12:46:33 AM Z
Message-ID: <36107439.E4FEAB4C@nabaus.com.au> Date: Tue, 29 Sep 1998 15:46:33 +1000 From: Damon Atkins <Damon.Atkins@nabaus.com.au> Subject: [Fwd: mountd remote exploit?] We need to prevent this sort of thing in NFS4 morex .- wrote: > To my knowledge there are 3 different versions of the mountd remote > exploit going around. I found a bin on my shell server from a user and ran > it on a outdated box of my own and it did work. I have not seen the > source.. only thing bin. So I do know there is a remote exploit going > around. > > morex .- > http://morex.net > http://www.worldnetworks.net > > On Mon, 28 Sep 1998, John Caldwell wrote: > > > This morning at about 2am, someone managed to get into my machine using > > some type of mountd exploit. I was watching at the time, so they werent > > able to do much damage, but it looks like they were able to nfs mount my > > root drive remotely, even though its not listed in the /etc/exports. I > > was led to believe it was mountd by this: > > > > > > Sep 28 02:35:15 harman mountd[263]: Unauthorized access by NFS client > > xxx.xxx.xxx.xxx > > Sep 28 02:35:15 harman syslogd: Cannot glue message parts together > > Sep 28 02:35:15 harman mountd[263]: Blocked attempt of xxx.xxx.xxx.xxx to > > mount ^P > > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > > Sep 28 02:35:15 harman > > (-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^ > > E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^ > > H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H( > > -^E^H(-^E^H(-^E^H(- > > > > > > The guy had added a line to my /etc/passwd and inetd.conf files allowing > > for easy root access, but didnt do much other damage. I'm not very > > familiar with mountd and I havent heard anything about remote exploits, so > > i thought i'd post about it. > > > > > > I couldnt find a current contact for the linux nfs package, so thats why i > > posted here first. > > > > -- > > ------------------------- > > | John Caldwell > > | jcald@lake.ml.org > > | http://www.lake.ml.org/ > > ------------------------- > > >
This archive was generated by hypermail 2.1.2 : 03/04/05-01:46:25 AM Z CST