To my knowledge there are 3 different versions of the mountd remote exploit going around. I found a bin on my shell server from a user and ran it on a outdated box of my own and it did work. I have not seen the source.. only thing bin. So I do know there is a remote exploit going around. morex .- http://morex.net http://www.worldnetworks.net On Mon, 28 Sep 1998, John Caldwell wrote: > This morning at about 2am, someone managed to get into my machine using > some type of mountd exploit. I was watching at the time, so they werent > able to do much damage, but it looks like they were able to nfs mount my > root drive remotely, even though its not listed in the /etc/exports. I > was led to believe it was mountd by this: > > > Sep 28 02:35:15 harman mountd[263]: Unauthorized access by NFS client > xxx.xxx.xxx.xxx > Sep 28 02:35:15 harman syslogd: Cannot glue message parts together > Sep 28 02:35:15 harman mountd[263]: Blocked attempt of xxx.xxx.xxx.xxx to > mount ^P > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P > Sep 28 02:35:15 harman > (-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^ > E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^ > H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H( > -^E^H(-^E^H(-^E^H(- > > > The guy had added a line to my /etc/passwd and inetd.conf files allowing > for easy root access, but didnt do much other damage. I'm not very > familiar with mountd and I havent heard anything about remote exploits, so > i thought i'd post about it. > > > I couldnt find a current contact for the linux nfs package, so thats why i > posted here first. > > -- > ------------------------- > | John Caldwell > | jcaldat_private > | http://www.lake.ml.org/ > ------------------------- >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:03 PDT