|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Ok.. who is backdooring /usr/bin/login on SunOS?
Alan B. Clegg (abc
arg.com)Wed, 10 May 1995 09:02:10 -0400 (EDT)
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Kenneth R. van Wyk: "Re: detecting sniffers is downright easy"
- Previous message: der Mouse: "NFS re-exporting"
- Next in thread: Casper Dik: "Re: Ok.. who is backdooring /usr/bin/login on SunOS?"
I have now come upon the 5th example of a 1s compliment passwords being put into /usr/bin/login on different systems... Each one has a different password, and not all act the same, some allowing you to get in with any_userid+given_passwd==root_shell and the other real_userid+given_passwd==real_user_shell [including root] One of the systems also has the 1s compliment string '/tmp/.tty'.. I have yet to see that file used.. is anyone familiar with these attacks? I've looked [briefly, I admit] through the archives of bugtraq and can't find any notes on this one... All of the systems so-compromised have been [at some point] running NCSA HTTP servers. That is the only similar attack route that I have been able to pin down. Is there a toolkit out there that hacks login via the http holes? Other holes found on these systems: Older sendmail with ident code IFS hole for OpenWindows rdist holes Any ideas? [BTW, sorry to drag the list off of locating sniffers... 8-)] -abc The strongest reason for the people to retain | Alan B. Clegg the right to keep and bear arms is, as a last | Information Systems Manager resort, to protect themselves against tyranny | American Research Group in government. -- Thomas Jefferson |
- Next message: Kenneth R. van Wyk: "Re: detecting sniffers is downright easy"
- Previous message: der Mouse: "NFS re-exporting"
- Next in thread: Casper Dik: "Re: Ok.. who is backdooring /usr/bin/login on SunOS?"