[icecast] unwanted oper login

Ethan Butterfield primus at veris.org
Tue Apr 10 05:02:39 UTC 2001



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, Apr 09, 2001 at 09:15:26PM -0700, Seth de l'Isle wrote:

> I'm trying to figure out how this was done, so I can decide whether we should
> consider the whole system compromised, or if perhaps there is another machine
> on the LAN that's been compromised and used to sniff us out.

First off, you should not be allowing global access to the admin port of
the icecast server. Either firewall it off, or use TCP wrappers on the
port, and lock it down to only the IPs you want to allow admin access to.
Better yet, disable remote access entirely and only allow telnets in from
the local machine. That way, if you're on console or ssh into the box, no
one can sniff the network traffic and pull the plaintext password out of
the stream.

The fact that this person got in even after the password was changed
suggests that he either has local network access and has been sniffing
passwords, or he has access to the machine itself and is pulling the
password out of the icecast.conf file. Check the server for obvious signs
of a rootkit (foreign entries in /etc/inetd.conf, system binaries with
creation dates in the recent past [i.e., after system creation], daemons
running on wierd ports), and pray it's not a kernel module hack. If the
point-of-entry is not easily discernable, firewall off the IP block of the
dialup account and sniff traffic looking for anything martian.

It is never a good idea to rely solely on the built-in authentication
scheme of any program, especially one with text in the clear. (If I could
code, I'd be working on an OpenSSL-based admin console for icecast...)

- -- 

 "If this is Paradise, I wish I had a lawnmower."
     - Talking Heads, "Nothing But Flowers"
-----BEGIN PGP SIGNATURE-----
Comment: For info see http://www.gnupg.org

iD8DBQE60pPv36NTGsm+2Z4RApd4AKCG44tsvSx4zkRKBfrcLNGvenUrBgCglLi9
4SL01mdTPsovmnhPu95bVts=
=dlhA
-----END PGP SIGNATURE-----

--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to 'icecast-request at xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.



More information about the Icecast mailing list