Quoting axess (axessat_private): > > >From my experience.watchin defaced AIX systems all day long and > see what port they have open i draw this conclustion. > This has not been added to public notice or i would not have went into > this discussion at all. There is no flaw in it. > Just a way to determite an operating system. > We are talking about script kiddies that want * to deface. > I also refer to our database. 99% of all defaced AIX has this port open. > Since this has been a long discussion about this i want to point out > once again. No flaw / determite OS and after that exploit the AIX. Old versions of AIX had a buffer overflow in writesrv (which does listen on port 2401). The patches were released back in 1997: Abstract: SECURITY: buffer overflow in writesrv daemon APAR 4.1: IX69168 APAR 4.2: IX69169 Both of these releases are no longer supported and the currently supported releases (v4.3 and v5) are not known to be vulnerable. If anyone has information to the contrary, please contact security-alertat_private I'd also be curious to know which of the lsd (or other) exploits are being used to compromise AIX boxes. The ones I've seen are for fairly old vulnerabilities which have had patches issued. See MSS-OAR-E01-2001:339.1 at: http://www-1.ibm.com/services/continuity/recover1.nsf/Advisories for the list of patches that apply to the lsd exploits. -- Troy Bollinger <troyat_private> Network Security Analyst PGP keyid: 1024/0xB7783129 Troy's opinions are not IBM policy ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Sep 01 2001 - 11:12:49 PDT