mountd remote exploit?

From: John Caldwell (jcaldat_private)
Date: Mon Sep 28 1998 - 19:11:39 PDT

Next message: morex .-: "Re: mountd remote exploit?"

Previous message: morex .-: "Re: IRIX 6.2 passwordless accounts exploit?"
Next in thread: morex .-: "Re: mountd remote exploit?"
Reply: morex .-: "Re: mountd remote exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This morning at about 2am, someone managed to get into my machine using
some type of mountd exploit. I was watching at the time, so they werent
able to do much damage, but it looks like they were able to nfs mount my
root drive remotely, even though its not listed in the /etc/exports.  I
was led to believe it was mountd by this:


Sep 28 02:35:15 harman mountd[263]: Unauthorized access by NFS client
xxx.xxx.xxx.xxx
Sep 28 02:35:15 harman syslogd: Cannot glue message parts together
Sep 28 02:35:15 harman mountd[263]: Blocked attempt of xxx.xxx.xxx.xxx to
mount ^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
Sep 28 02:35:15 harman
(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^
E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
-^E^H(-^E^H(-^E^H(-


The guy had added a line to my /etc/passwd and inetd.conf files allowing
for easy root access, but didnt do much other damage.  I'm not very
familiar with mountd and I havent heard anything about remote exploits, so
i thought i'd post about it.


I couldnt find a current contact for the linux nfs package, so thats why i
posted here first.

--
 -------------------------
| John Caldwell
| jcaldat_private
| http://www.lake.ml.org/
 -------------------------

Next message: morex .-: "Re: mountd remote exploit?"
Previous message: morex .-: "Re: IRIX 6.2 passwordless accounts exploit?"
Next in thread: morex .-: "Re: mountd remote exploit?"
Reply: morex .-: "Re: mountd remote exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:03 PDT