below.
Dan
___________________________________________________________________________
Dan Yocum | Phone: (630) 840-8525
Linux/Unix System Administrator | Fax: (630) 840-6345
Computing Division OSS/FSS | email: yocum@fnal.gov .~. L
Fermi National Accelerator Lab | WWW: www-oss.fnal.gov/~yocum /V\ I
P.O. Box 500 | // \\ N
Batavia, IL 60510 | "TANSTAAFL" /(
)\ U
________________________________|_________________________________ ^`~'^__X_
------- Forwarded Message
Return-Path: redhat-watch-list-request@redhat.com
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by sapphire.fnal.gov (8.8.7/8.8.7) with SMTP id RAA03283
for <yocum@sapphire.fnal.gov>; Wed, 2 Jun 1999 17:46:24 -0500
Received: (qmail 8454 invoked by uid 501); 2 Jun 1999 23:31:15 -0000
Resent-Date: 2 Jun 1999 23:31:15 -0000
Resent-Cc: recipient list not shown: ;
MBOX-Line: From redhat-watch-list-request@redhat.com Wed Jun 2 19:31:14 1999
Date: Wed, 2 Jun 1999 16:56:41 -0400
From: Matt Wilson <msw@redhat.com>
To: redhat-watch-list@redhat.com
Cc: BUGTRAQ@NETSPACE.ORG
Subject: [SECURITY] New kernel packages available
Message-ID: <19990602165635.A1034@erwin.devel.redhat.com>
Mime-Version: 1.0
Content-Type: multipart/signed; boundary=9amGYk9869ThD9tj; micalg=pgp-md5;
protocol="application/pgp-signature"
X-Mailer: Mutt 0.95.5i
Approved: djb@redhat.com
Resent-Message-ID: <"zk5vI3.0.U22.2xRLt"@lists.redhat.com>
Resent-From: redhat-watch-list@redhat.com
Reply-To: redhat-watch-list@redhat.com
X-Mailing-List: <redhat-watch-list@redhat.com> archive/latest/28
X-Loop: redhat-watch-list@redhat.com
Precedence: list
Resent-Sender: redhat-watch-list-request@redhat.com
X-URL: redhat.com
- --9amGYk9869ThD9tj
Content-Type: text/plain; charset=us-ascii
New packages that correct a vulnerability in the kernels that shipped
with Red Hat Linux 6.0 are now available. When exploited this
vulnerability allows remote users to crash machines running 2.2.x
kernels. Thanks to Piotr Wilkin for reporting the problem and to Alan
Cox for the fix.
Red Hat Software recommends that all users with networked machines
upgrade to this release.
The procedure for upgrading the kernel is documented at
redhat.com/corp/support/docs/kernel-upgrade/kernel-upgrade.html
Please read the entire section for your architecture before upgrading.
Red Hat Linux 6.0
================
Intel
- -----
rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-2.2.5-22.i386.rpm
rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-2.2.5-22.i586.rpm
rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-smp-2.2.5-22.i586.rpm
rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-2.2.5-22.i686.rpm
rpm -ivh ftp://updates.redhat.com/6.0/i386/kernel-smp-2.2.5-22.i686.rpm
Alpha
- -----
rpm -ivh ftp://updates.redhat.com/6.0/alpha/kernel-2.2.5-22.alpha.rpm
rpm -ivh ftp://updates.redhat.com/6.0/alpha/kernel-smp-2.2.5-22.alpha.rpm
SPARC/UltraSPARC
- ----------------
Note: These packages obsolete the earlier kernel-2.2.5-21 release
for SPARC. The problems fixed by the 2.2.5-21 release are also
fixed in 2.2.5-22.
rpm -ivh ftp://updates.redhat.com/6.0/sparc/kernel-2.2.5-22.sparc.rpm
rpm -ivh ftp://updates.redhat.com/6.0/sparc/kernel-smp-2.2.5-22.sparc.rpm
rpm -ivh ftp://updates.redhat.com/6.0/sparc/kernel-2.2.5-22.sparc64.rpm
rpm -ivh ftp://updates.redhat.com/6.0/sparc/kernel-smp-2.2.5-22.sparc64.rpm
Source RPM
- ----------
rpm -Uvh ftp://updates.redhat.com/6.0/SRPMS/kernel-2.2.5-22.src.rpm
==================================================================
Matt Wilson
PGP public key: charlotte.redhat.com/~msw/pgp_public_key.asc
- --9amGYk9869ThD9tj
Content-Type: application/pgp-signature
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
iQCVAwUBN1Wag1K2dzf8iSNpAQEB8AP/eBi3zLaICOmM1Bi1GW78GrtuIL1q5Kk6
K3Ehbdj0nb7NoHDTRCiIhLGUgCD8MtHZEEWeArAygSyw4tzL3jGaRdUUNfnHtKOl
RvmtBex4NRqblqS1DtSWT3GhwBWQUG3uIqNtHyq3yozmU4rdeV6ujNdjp66FmnLa
IFFRV6X94N0=cFQB
- -----END PGP SIGNATURE-----
- --9amGYk9869ThD9tj--
- --
To unsubscribe: mail redhat-watch-list-request@redhat.com with
"unsubscribe" as the Subject.
------- End of Forwarded Message
From mail@mail.redhat.com Mon Jun 7 17:02:35 1999
Received: (qmail 5508 invoked from network); 7 Jun 1999 21:50:26 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 7 Jun 1999 21:50:26 -0000
Received: from rosie.bitwizard.nl (root@3dyn99.delft.casema.net [195.96.104.99])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id RAA27580
for <linux-security@redhat.com>; Mon, 7 Jun 1999 17:02:35 -0400
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.bitwizard.nl (8.8.8/8.8.8) with ESMTP id XAA26859
for <linux-security@redhat.com>; Mon, 7 Jun 1999 23:02:14 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id XAA02307
for linux-security@redhat.com; Mon, 7 Jun 1999 23:02:10 +0200
Received: from pop.vuurwerk.nl
by localhost with POP3 (fetchmail-4.7.5)
Approved: R.E.Wolff@BitWizard.nl
for wolff@localhost (single-drop); Mon, 07 Jun 1999 21:49:09 +0200 (MEST)
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Mon Jun 7 21:49:08 1999)
X-From_: linux-security-request@redhat.com Mon Jun 7 21:45:19 1999
Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl
[194.178.232.16])
by haarlem-2.vuurwerk.nl (8.9.3/8.9.1) with ESMTP id VAA10541
for <bitwiz@haarlem-2.vuurwerk.nl>; Mon, 7 Jun 1999 21:45:19 +0200
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by leeuwarden.vuurwerk.nl (8.9.2/8.9.1) with SMTP id VAA11221
for <r.e.wolff@BitWizard.nl>; Mon, 7 Jun 1999 21:45:18 +0200 (CEST)
Received: (qmail 5857 invoked by uid 501); 7 Jun 1999 20:32:59 -0000
Received: (qmail 30712 invoked from network); 7 Jun 1999 20:30:55 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 7 Jun 1999 20:30:55 -0000
Received: from uuworld.com (qmailr@cathy.uuworld.com [207.106.66.2])
by mail.redhat.com (8.8.7/8.8.7) with SMTP id PAA17832
for <linux-security@redhat.com>; Mon, 7 Jun 1999 15:43:12 -0400
Received: (qmail 9480 invoked by uid 500); 7 Jun 1999 19:32:17 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
by localhost with SMTP; 7 Jun 1999 19:32:17 -0000
Date: Mon, 7 Jun 1999 15:32:17 -0400 (EDT)
From: <alex@yuriev.com>
X-Sender: alex@cathy.uuworld.com
To: linux-security@redhat.com
Subject: RedHat 6.0, /dev/pts permissions bug when using xterm (fwd)
Message-ID: <Pine.LNX.3.96.990607153153.9294D-100000@cathy.uuworld.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
[Mod: forwarded from BUGTRAQ -- alex]
---------- Forwarded message ----------
Date: Sun, 6 Jun 1999 19:15:05 +0000
From: noc-wage <wage@IDIRECT.CA>
To: BUGTRAQ@NETSPACE.ORG
Subject: RedHat 6.0, /dev/pts permissions bug when using xterm
Once again I've come up with another trivial Denial of Service flaw,
(wow,
I seem to be good at this Conseal Firewall, +++ath0, ppp byte-stuffing)
It's been a few months since my last DoS, so here you go:
Many of you RedHat 6.0 users who installed RedHat 6.0 rather than
upgrading may have noticed the new way RedHat displays remote TTY's.
Instead of the old fashioned /dev/ttyp<number>, it now uses
/dev/pts/<number>. There is a flaw in this new implementation that
local
users can exploit to cause minor disruption to anyone using X-windows on
the local machine.
This DoS is more of a nuisance than a "real problem" but it could
possibly
be used to cause some minor havok.
The way it works is simple. When whoever is using X opens up an
"xterm"
(eterm, rxvt, nxterm...) a connection is made to the X server.
If you do a "who" you will see:
(RedHat 6.0, without upgrading from previous RedHat release)
wage pts/0 Jun 6 01:39 (:0.0)
Or on older versions:
wage ttyp0 Jun 6 01:39 (:0.0)
Now this is normal, but the problem lies within the permissions of that
device.
On older RedHat's if you did:
ls -l /dev/ttyp3 you would see:
crw------- 1 wage tty 3, 0 Jun 6 12:41 /dev/ttyp0
Which is normal and what it should look like.
For those of you who may be new to unix those letters at the beginning
of
the line indicate the permissions on the device.
For our output above, the line indicates it is a device (c), and that
the
OWNER has read and write permissions (rw)
Group has no permissions (---), and everyone has no permissions (---)
They basically go <type
indicator><owner><group><everyone>
An example line of a device will ALL permissions set follows:
crwxrwxrwx
/ | \
Owner Group Everyone
This means that everyone has read/write/execute permissions to that
device.
So as you can see our ttyp0 can only be read or written to by it's owner
(and root).
In the case of RedHat 6.0 with regular remote connections (like telnet)
the standard permissions are as follows:
crw--w---- 1 ov3r tty 136, 0 Jun 6 12:32 /dev/pts/0
Here it's almost the same except that group "tty" also has write
access.
The problem lies in the way that the permissions are set for local
connections with the X server using xterm.
if you do an ls -l /dev/pts/<the xterm's tty> (we will use pts/0)
You get:
crw--w--w- 1 ov3r ov3r 136, 0 Jun 6 12:32 /dev/pts/0
Notice how now "everyone" has write access to this terminal?
This leads to the hole that any local user can disrupt any xterminal
connected to the local machine. Simply typing "cat /dev/urandom >
/dev/pts/<number>" will flood the xterm with garbage data making it
impossible to use. Or we can also bring back the old "flash" attack
and
flash the user's xterm by dumping ASCII escape characters to his
terminal.
This isn't a particularily "deadly" DoS attack, but can be used as
a
nuisance OR perhaps even to trick the user into doing something he may
not want to do. (For example dumping "Login:" then
"Password:" to the
terminal may trick the user into adding his login/password to a file or
to
his .bash_history).
--
Max Schau (noc-wage) <wage@idirect.ca>/<nocwage@globalserve.net>
KeyID 1024/0F699BD3
"The only secure computer is one that's unplugged, locked in a
safe, and buried 20 feet under the ground in a secret location...
and i'm not even too sure about that one"--Dennis Huges, FBI
From mail@mail.redhat.com Tue Jun 8 02:15:07 1999
Received: (qmail 17259 invoked from network); 8 Jun 1999 07:03:03 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 8 Jun 1999 07:03:03 -0000
Received: from rosie.bitwizard.nl (root@3dyn62.delft.casema.net [195.96.104.62])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id CAA16486
for <linux-security@redhat.com>; Tue, 8 Jun 1999 02:15:07 -0400
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.bitwizard.nl (8.8.8/8.8.8) with ESMTP id IAA30568
for <linux-security@redhat.com>; Tue, 8 Jun 1999 08:14:58 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00709
for linux-security@redhat.com; Tue, 8 Jun 1999 08:14:54 +0200
Received: from pop.vuurwerk.nl
by localhost with POP3 (fetchmail-4.7.5)
Approved: R.E.Wolff@BitWizard.nl
for wolff@localhost (single-drop); Tue, 08 Jun 1999 01:18:35 +0200 (MEST)
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Tue Jun 8 01:18:35 1999)
X-From_: linux-security-request@redhat.com Tue Jun 8 01:16:40 1999
Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl
[194.178.232.19])
by haarlem-2.vuurwerk.nl (8.9.3/8.9.1) with ESMTP id BAA22965
for <bitwiz@haarlem-2.vuurwerk.nl>; Tue, 8 Jun 1999 01:16:40 +0200
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by groningen.vuurwerk.nl (8.9.2/8.9.1) with SMTP id BAA10495
for <r.e.wolff@BitWizard.nl>; Tue, 8 Jun 1999 01:16:34 +0200 (CEST)
Received: (qmail 31046 invoked by uid 501); 8 Jun 1999 00:04:19 -0000
Received: (qmail 9416 invoked from network); 7 Jun 1999 23:35:00 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 7 Jun 1999 23:35:00 -0000
Received: from online.no (pilt-s.online.no [148.122.208.18])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id SAA19238
for <linux-security@redhat.com>; Mon, 7 Jun 1999 18:47:14 -0400
Received: from ti21a96-0002.dialup.online.no (ti21a96-0002.dialup.online.no
[130.67.197.130])
by online.no (8.9.3/8.9.1) with ESMTP id XAA15549
for <linux-security@redhat.com>; Mon, 7 Jun 1999 23:41:41 +0200 (MET DST)
Date: Mon, 7 Jun 1999 23:42:46 +0200 (CEST)
From: Torbjorn Kristoffersen <torbkris@online.no>
X-Sender: torbkris@hal.europa.no
To: linux-security@redhat.com
Subject: [linux-security] Re: RedHat 6.0, /dev/pts permissions bug when using
xterm (fwd)
In-Reply-To: <Pine.LNX.3.96.990607153153.9294D-100000@cathy.uuworld.com>
Message-ID: <Pine.LNX.4.10.9906072334250.1180-100000@hal.europa.no>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
On Mon, 7 Jun 1999 alex@yuriev.com wrote:
>
> The problem lies in the way that the permissions are set for local
> connections with the X server using xterm.
> if you do an ls -l /dev/pts/<the xterm's tty> (we will use pts/0)
> You get:
> crw--w--w- 1 ov3r ov3r 136, 0 Jun 6 12:32 /dev/pts/0
>
> Notice how now "everyone" has write access to this terminal?
> This leads to the hole that any local user can disrupt any xterminal
> connected to the local machine. Simply typing "cat /dev/urandom >
I've also got RedHat 6.0, but the `bug' never occurs. When a
local X users uses an XTerm, his terminal device's name is
as expected /dev/pts/<..>.
However, the permissions of the device are crw--w----. Everyone hasn't
write access to the tty. So I don't think this bug can be in all RH6.0
distributions.
Cheers..
T. S. Kristoffersen <torbkris@online.no>
From mail@mail.redhat.com Tue Jun 8 03:39:01 1999
Received: (qmail 26705 invoked from network); 8 Jun 1999 08:26:59 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 8 Jun 1999 08:26:59 -0000
Received: from rosie.bitwizard.nl (root@3dyn62.delft.casema.net [195.96.104.62])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id DAA22448
for <linux-security@redhat.com>; Tue, 8 Jun 1999 03:39:01 -0400
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.bitwizard.nl (8.8.8/8.8.8) with ESMTP id JAA31111
for <linux-security@redhat.com>; Tue, 8 Jun 1999 09:38:53 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id JAA00892
for linux-security@redhat.com; Tue, 8 Jun 1999 09:38:48 +0200
Received: from pop.vuurwerk.nl
by localhost with POP3 (fetchmail-4.7.5)
Approved: R.E.Wolff@BitWizard.nl
for wolff@localhost (single-drop); Tue, 08 Jun 1999 09:29:12 +0200 (MEST)
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Tue Jun 8 09:29:12 1999)
X-From_: linux-security-request@redhat.com Tue Jun 8 09:26:45 1999
Received: from leeuwarden.vuurwerk.nl (IDENT:root@leeuwarden.vuurwerk.nl
[194.178.232.16])
by haarlem-2.vuurwerk.nl (8.9.3/8.9.1) with ESMTP id JAA00755
for <bitwiz@haarlem-2.vuurwerk.nl>; Tue, 8 Jun 1999 09:26:45 +0200
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by leeuwarden.vuurwerk.nl (8.9.2/8.9.1) with SMTP id JAA15290
for <r.e.wolff@BitWizard.nl>; Tue, 8 Jun 1999 09:26:44 +0200 (CEST)
Received: (qmail 23193 invoked by uid 501); 8 Jun 1999 08:14:39 -0000
Received: (qmail 2196 invoked from network); 8 Jun 1999 07:39:37 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 8 Jun 1999 07:39:37 -0000
Received: from mizar.firestar.dhs.org (root@[129.2.179.251])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id CAA00151
for <linux-security@redhat.com>; Tue, 8 Jun 1999 02:51:41 -0400
Received: from arcturus.firestar.dhs.org (frnkzk@arcturus.firestar.dhs.org
[129.2.178.19])
by mizar.firestar.dhs.org (8.9.3/8.9.3) with ESMTP id CAA02539;
Tue, 8 Jun 1999 02:50:51 -0400 (EDT)
Received: (from frnkzk@localhost)
by arcturus.firestar.dhs.org (8.9.3/8.9.3) id CAA02329;
Tue, 8 Jun 1999 02:52:11 -0400
Date: Tue, 8 Jun 1999 02:52:10 -0400 (EDT)
From: Kevin Kane <frnkzk@Glue.umd.edu>
X-Sender: frnkzk@arcturus.firestar.dhs.org
To: Torbjorn Kristoffersen <torbkris@online.no>
cc: linux-security@redhat.com
Subject: [linux-security] Re: RedHat 6.0, /dev/pts permissions bug when
using xterm (fwd)
In-Reply-To: <Pine.LNX.4.10.9906072334250.1180-100000@hal.europa.no>
Message-ID:
<Pine.LNX.4.10.9906080250330.2308-100000@arcturus.firestar.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
On Mon, 7 Jun 1999, Torbjorn Kristoffersen wrote:
| On Mon, 7 Jun 1999 alex@yuriev.com wrote:
|
| >
| > The problem lies in the way that the permissions are set for local
| > connections with the X server using xterm.
| > if you do an ls -l /dev/pts/<the xterm's tty> (we will use
pts/0)
| > You get:
| > crw--w--w- 1 ov3r ov3r 136, 0 Jun 6 12:32 /dev/pts/0
| >
| > Notice how now "everyone" has write access to this terminal?
| > This leads to the hole that any local user can disrupt any xterminal
| > connected to the local machine. Simply typing "cat /dev/urandom
>
|
| I've also got RedHat 6.0, but the `bug' never occurs. When a
| local X users uses an XTerm, his terminal device's name is
| as expected /dev/pts/<..>.
| However, the permissions of the device are crw--w----. Everyone hasn't
| write access to the tty. So I don't think this bug can be in all RH6.0
| distributions.
When I upgraded to 6.0, it changed my fstab to add the line for /dev/pts
with the parameter 'mode=0622', and this seemed to be the root of the
problem. I changed it to 'mode=0620', and also added a 'gid=5'
(the GID
of the tty group), and it behaves how I want it, with tty group write.
(Without the gid, on my system, it ended up being the users group, which
might as well be world-write)
Kevin Kane <frnkzk@Glue.umd.edu>
[mod: Ok, that's it for this problem guys, we now know the problem and
the fix. -- REW]
From mail@mail.redhat.com Wed Jun 9 13:25:31 1999
Received: (qmail 26307 invoked from network); 9 Jun 1999 18:14:40 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 9 Jun 1999 18:14:40 -0000
Received: from rosie.bitwizard.nl (root@3dyn123.delft.casema.net
[195.96.104.123])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id NAA05684
for <linux-security@redhat.com>; Wed, 9 Jun 1999 13:25:31 -0400
Received: from cave.BitWizard.nl (wolff@cave.bitwizard.nl [192.168.234.1])
by rosie.bitwizard.nl (8.8.8/8.8.8) with ESMTP id TAA11231
for <linux-security@redhat.com>; Wed, 9 Jun 1999 19:24:53 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id TAA06117
for linux-security@redhat.com; Wed, 9 Jun 1999 19:24:52 +0200
Received: from pop.vuurwerk.nl
by localhost with POP3 (fetchmail-4.7.5)
Approved: R.E.Wolff@BitWizard.nl
for wolff@localhost (single-drop); Wed, 09 Jun 1999 18:01:44 +0200 (MEST)
Received: by haarlem-2.vuurwerk.nl (mbox bitwiz)
(with Cubic Circle's cucipop (v1.31 1998/05/13) Wed Jun 9 18:01:44 1999)
X-From_: linux-security-request@redhat.com Wed Jun 9 17:57:59 1999
Received: from groningen.vuurwerk.nl (IDENT:root@groningen.vuurwerk.nl
[194.178.232.19])
by haarlem-2.vuurwerk.nl (8.9.3/8.9.1) with ESMTP id RAA18202
for <bitwiz@haarlem-2.vuurwerk.nl>; Wed, 9 Jun 1999 17:57:59 +0200
Received: from lists.redhat.com (lists.redhat.com [199.183.24.247])
by groningen.vuurwerk.nl (8.9.2/8.9.1) with SMTP id RAA20006
for <r.e.wolff@BitWizard.nl>; Wed, 9 Jun 1999 17:57:58 +0200 (CEST)
Received: (qmail 29490 invoked by uid 501); 9 Jun 1999 16:46:30 -0000
Received: (qmail 21163 invoked from network); 9 Jun 1999 16:12:43 -0000
Received: from mail.redhat.com (199.183.24.239)
by lists.redhat.com with SMTP; 9 Jun 1999 16:12:43 -0000
Received: from gandalf.fiwcdsd.navy.mil (gandalf.fiwcdsd.navy.mil
[198.253.150.60])
by mail.redhat.com (8.8.7/8.8.7) with ESMTP id LAA14921
for <linux-security@redhat.com>; Wed, 9 Jun 1999 11:24:10 -0400
Received: from itlies (itlies.fiwcdsd.navy.mil [198.253.150.61])
by gandalf.fiwcdsd.navy.mil (8.9.3/8.9.3) with SMTP id IAA19920
for <linux-security@redhat.com>; Wed, 9 Jun 1999 08:24:19 -0700
From: "EW1 Coral J. Cook" <ccook@nosc.mil>
To: <linux-security@redhat.com>
Subject: Port 7 scan
Date: Wed, 9 Jun 1999 08:18:05 -0700
Message-ID: <000001beb28b$45c9bd80$3d96fdc6@fiwcdsd.navy.mil>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300
Importance: Normal
X-moderate: yes
Over the last several day, we've been getting pretty regular scans from a
non-existant host on our port 7. Any idea what they are looking for/what are
some of vulnerabilites with echo?
Thanks
Coral Cook