Bug#405336: vdr ignores svdrphostsconf, listens instead to
0.0.0.0:2001
Juergen Kosel
juergen.kosel at gmx.de
Tue Jan 2 19:00:00 CET 2007
Package: vdr
Version: 1.4.4-1
Severity: grave
Tags: security
Justification: user security hole
Hello,
after I have installed vdr and started as daemon by the init.d script,
chkrootkit reports a possible scalper worm infection.
The chkrootkit script checks for listening of port 2001, which is used by vdr:
tcp 0 0 0.0.0.0:2001 0.0.0.0:* LISTEN
But svdrphosts.conf says:
#
# svdrphosts This file describes a number of host addresses that
# are allowed to connect to the SVDRP port of the Video
# Disk Recorder (VDR) running on this system.
# Syntax:
#
# IP-Address[/Netmask]
#
127.0.0.1 # always accept localhost
#192.168.100.0/24 # any host on the local net
#204.152.189.113 # a specific host
#0.0.0.0/0 # any host on any net (USE THIS WITH CARE!)
#192.168.1.0/24
Maybe the client address is checked, after vdr has accepted the connection.
(I haven't looked into this.)
Greetings
Juergen
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-amd64
Locale: LANG=de_DE at euro, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15)
Versions of packages vdr depends on:
ii adduser 3.100 Add and remove users and groups
ii debconf [debconf-2.0] 1.5.11 Debian configuration management sy
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libcap1 1:1.10-14 support for getting/setting POSIX.
ii libgcc1 1:4.1.1-19 GCC support library
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libstdc++6 4.1.1-19 The GNU Standard C++ Library v3
ii makedev 2.3.1-83 creates device files in /dev
ii psmisc 22.3-1 Utilities that use the proc filesy
Versions of packages vdr recommends:
ii lirc 0.8.0-9 Linux Infra-red Remote Control sup
-- debconf information:
* vdr/select_dvb_card: Satellite
* vdr/showinfo:
* vdr/create_video_dir: true
More information about the pkg-vdr-dvb-devel
mailing list