> Anyone else seen this? I'd like to make sure I've got everything tied down > enough that this won't happen again. Samba wasn't supposed to be on there, > and it's now been removed. I have a suspicion ssl might have been involved > too, due to the gzip comment and the way apache was reloaded. I downloaded the msamba and checked the strings for the sambalx binary, for what I've seen it's the exploit for samba 2.2.8 written by eSDee, with a little modification (adding q3 to the output strings and also the command to email the info about samba). The exploit I'm talking can be found in http://packetstormsecurity.nl/0304-exploits/sambal.c This is not a 0 day, and there are already patches to fix this problem. Regards, Paulo Abrantes ++++++++++++++++++++++++++++++++++++++++ Computer Science Student @ Instituto Superior Tecnico (http://www.ist.utl.pt) This email fortune cookie: The memory management on the PowerPC can be used to frighten small children. -- Linus Torvalds ++++++++++++++++++++++++++++++++++++++++ ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Apr 21 2003 - 14:15:27 PDT