Re: mountd remote exploit?

From: morex .- (morexat_private)
Date: Mon Sep 28 1998 - 21:11:43 PDT

Next message: Eugene Bradley: "Re: IRIX 6.2 passwordless accounts exploit?"

Previous message: John Caldwell: "mountd remote exploit?"
Maybe in reply to: John Caldwell: "mountd remote exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To my knowledge there are 3 different versions of the mountd remote
exploit going around. I found a bin on my shell server from a user and ran
it on a outdated box of my own and it did work. I have not seen the
source.. only thing bin. So I  do know there is a remote exploit going
around.

morex .-
http://morex.net
http://www.worldnetworks.net

On Mon, 28 Sep 1998, John Caldwell wrote:

> This morning at about 2am, someone managed to get into my machine using
> some type of mountd exploit. I was watching at the time, so they werent
> able to do much damage, but it looks like they were able to nfs mount my
> root drive remotely, even though its not listed in the /etc/exports.  I
> was led to believe it was mountd by this:
>
>
> Sep 28 02:35:15 harman mountd[263]: Unauthorized access by NFS client
> xxx.xxx.xxx.xxx
> Sep 28 02:35:15 harman syslogd: Cannot glue message parts together
> Sep 28 02:35:15 harman mountd[263]: Blocked attempt of xxx.xxx.xxx.xxx to
> mount ^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> Sep 28 02:35:15 harman
> (-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^
> E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^
> H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(
> -^E^H(-^E^H(-^E^H(-
>
>
> The guy had added a line to my /etc/passwd and inetd.conf files allowing
> for easy root access, but didnt do much other damage.  I'm not very
> familiar with mountd and I havent heard anything about remote exploits, so
> i thought i'd post about it.
>
>
> I couldnt find a current contact for the linux nfs package, so thats why i
> posted here first.
>
> --
>  -------------------------
> | John Caldwell
> | jcaldat_private
> | http://www.lake.ml.org/
>  -------------------------
>

Next message: Eugene Bradley: "Re: IRIX 6.2 passwordless accounts exploit?"
Previous message: John Caldwell: "mountd remote exploit?"
Maybe in reply to: John Caldwell: "mountd remote exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:03 PDT