On Mon, Sep 28, 1998 at 03:31:28PM -0700, Dan Stromberg wrote: > We've had a lot of script kiddies running an exploit against our campus, > that checks for accounts that are passwordless by default in IRIX 6.2 - > like 4Dgifts, EZsetup, and so on. I've seen indications this isn't > limited to our campus... > > This script has been generating hoardes of syslog entries like: > > Sep 27 12:43:19 foo.bar login[16310]: failed: ?@warble.frob as 4Dgifts > I figured it was just SATAN, but I don't know. I've seen a few of these from a couple of large ISPs, I passed the information along to the appropriate abuse addresses. You just have to remember to give those accounts passwords, or delete them altogether, since they are worthless accounts. Actually, something that I think is a bug in IRIX, something that hasn't been fixed in 6.5, is the behavior of login when you specify that root can only login into /dev/console (this can be set in /etc/default/login). Instead of immediately denying someone access when they try to telnet or rlogin as root to a box, it lets you still attempt the password, and only denies you access when you get the password correct. So a hacker would know that they have the right root password, so all he has to do is hack a user account, probably not too difficult. What login should do is once root gets entered at the login prompt, it should give an error and disconnect, that why no potential hint to the root password would be given. -- Dale Harris <rodmurat_private> PGP KeyID: E26EC5FD System Administrator ph. (530) 898-4421 Computer Graphics, Instructional Media Center fax. (530) 898-5369 California State University, Chico, California 95929-0005 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:02 PDT