[icecast] unwanted oper login

[Jack Moffitt]

> I'm trying to figure out how this was done, so I can decide whether we should
> consider the whole system compromised, or if perhaps there is another machine
> on the LAN that's been compromised and used to sniff us out.

Ah, this points to a potentially serious problem.

I'm not aware of any problems with the oper login code that would allow
you to bypass the password.

Oper passwords are sent in the clear.  Sniffing on a LAN will get them,
unless you're on a switch.  In that case, sniffing on the local machine
will get them.

Oper passwords are stored in the clear in a file that more than likely
is world readable.  If a user has access to login, they can probably
read it.

It's possible someone compromised this system, or a system on your
network.  It's possible they did this through bugs in icecast.

But, there are ways to figure out who they are and where they come from,
and just how they are doing what they are doing.  Can't help much unless
we get more information.

You could try changing the password, and monitoring logins, to see if
they are coming in through an account.  You could try upgrading icecast
and see if they were coming in that way.

The only good way to tell if you've been compromised is by comparing
file hashes.  Check things like 'who', and 'ps', and 'login', and
'bash', etc, to see if they've been modified.  Considering installing
tripwire (www.tripwire.org) on all systems to detect these kinds of
problems.

Some network monitoring will tell you how they are doing it as well.
And where they are coming from (hopefully).

I wish you luck.

jack.

--- >8 ----
List archives:  http://www.xiph.org/archives/
icecast project homepage: http://www.icecast.org/
To unsubscribe from this list, send a message to 'icecast-request at xiph.org'
containing only the word 'unsubscribe' in the body.  No subject is needed.
Unsubscribe messages sent to the list will be ignored/filtered.