Real Server Hacks

Gary Flynn flynngn at jmu.edu
Fri Aug 29 14:15:45 GMT 2003


We had two Windows systems running Realserver hacked.
Don't really know how they got in but there have been
reports on the SecurityFocus Incidents list about
a 0-day for RealServer. RealNetworks acknowledged the
defect.

http://www.securityfocus.com/archive/75/334900/2003-08-19/2003-08-25/0
http://service.real.com/help/faq/security/rootexploit082203.html

The workaround from RealNetworks to prevent the
defect being exploited until they provide a patch
or upgrade is to remove a file. That file was not
present when the Administrator checked for it but
was present on the last backup. I've only taken a
cursory look at one of the systems this morning. It
was running a ServU FTP daemon on port 4555 from
WINNT\system32\pwnd\pkstart.exe. It was placed there
at 10:57 AM on Wednesday August 27.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe




More information about the unisog mailing list