Bug#251037: marked as done (Strange xdmcp behavior, maybe a trojan horse?)

To: Brice Goglin <Brice.Goglin@ens-lyon.org>
Subject: Bug#251037: marked as done (Strange xdmcp behavior, maybe a trojan horse?)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 26 Jan 2007 14:48:20 -0800
Message-id: <[🔎] handler.251037.D251037.116985145117070.ackdone@bugs.debian.org>
References: <45BA83B7.3050609@ens-lyon.org> <40B4AC5A.7090900@home.fback.net>

Your message dated Fri, 26 Jan 2007 23:41:59 +0100
with message-id <45BA83B7.3050609@ens-lyon.org>
and subject line Bug#251037: Strange xdmcp behavior, maybe a trojan horse?
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: submit@bugs.debian.org

Subject: Strange xdmcp behavior, maybe a trojan horse?

From: Bartłomiej Ochman <fback@home.fback.net>

Date: Wed, 26 May 2004 16:40:26 +0200

Message-id: <40B4AC5A.7090900@home.fback.net>
Package: xserver-common
Version: 4.3.0.dfsg.1-1
I was unable to connect to a remote xdm, but only when it is outside abroadcast domain. X crashes with a message:
Fatal server error:
XDMCP fatal error: Session failed Session XXXXXXXX failed for display194-237-107-43.customer.telia.com:9: cannot open display.
I have nothing in common with this IP, so after further quick tcpdump,I've discovered, that the negotiation is as follow:
MY.IP.MY.IP RE.MO.TE.IP XDMCP Query
RE.MO.TE.IP MY.IP.MY.IP XDMCP Willing

and here comes suspected packet:
MY.IP.MY.IP RE.MO.TE.IP XDMCP Request
with a connection field set to:
	Version: 1
	Opcode: Request (0x0007)
	Message length: 121
	Display number: 9
	Connections (6)
	 Connection 1: 194.237.107.43
	 Connection 2: 193.42.228.75
	 Connection 3: 212.75.96.183
	 [...]

then a normal XDMCP Accept UDP packet.
The other side, of course, tries to connect to 194.237.107.43:6009/TCP,and it, of course, fails.
Those six addresses are always the same, no matter which non-localserver I try to connect to.
I'm 99% sure this machine is not compromised, md5sum of /usr/bin/X11/Xis the same on every testing I'm able to check, and it's:
4f6c8f12266c7424a9125c259af41a39  /usr/X11R6/bin/X
I have a laptop with 4.3.0-7 version of xserver-common and it behaves asexpected.
Regards,
BO
--- End Message ---

--- Begin Message ---

To: 251037-done@bugs.debian.org

Subject: Re: Bug#251037: Strange xdmcp behavior, maybe a trojan horse?

From: Brice Goglin <Brice.Goglin@ens-lyon.org>

Date: Fri, 26 Jan 2007 23:41:59 +0100

Message-id: <45BA83B7.3050609@ens-lyon.org>

In-reply-to: <[🔎] 20070126221826.GA6752@red.fback.net>

References: <[🔎] 45BA71E4.6000900@ens-lyon.org> <[🔎] 20070126221826.GA6752@red.fback.net>
Closing, since the submitter does not use this setup anymore.
If anybody ever reproduces this problem, feel free to reopen.

Brice
--- End Message ---

Reply to:

Prev by Date: Bug#197156: xfree86: dexconf and xfs should use x-ttcidfont-conf font paths by default
Next by Date: Re: Git Migration
Previous by thread: Processed: reassign 290881 to xserver-xorg-core
Next by thread: Bug#408605: compiz: Lack of any documentation explaining how to use it
Index(es):
- Date
- Thread