Re: Ok.. who is backdooring /usr/bin/login on SunOS?

casperHolland.Sun.COM

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Marek Michalkiewicz: "Re: R. Thomas's NFS question"
• Previous message: Yossi Gottlieb: "Re: R. Thomas's NFS question"
• In reply to: Alan B. Clegg: "Ok.. who is backdooring /usr/bin/login on SunOS?"

>I have now come upon the 5th example of a 1s compliment passwords being 
>put into /usr/bin/login on different systems... Each one has a different 
>password, and not all act the same, some allowing you to get in with
>
>	 any_userid+given_passwd==root_shell
>		 and the other 
>	real_userid+given_passwd==real_user_shell [including root]
>
>One of the systems also has the 1s compliment string '/tmp/.tty'.. I have 
>yet to see that file used.. is anyone familiar with these attacks?  I've 
>looked [briefly, I admit] through the archives of bugtraq and can't find 
>any notes on this one...

The attack looks familiar, though I've only seen it with one
of the passwords as 1-complement, the other as plain text.

I've only seen it as change to a dynamically linked libc on SunOS 4
machines (replacing crypt w/ its own routines).

>All of the systems so-compromised have been [at some point] running NCSA 
>HTTP servers.  That is the only similar attack route that I have been 
>able to pin down.  Is there a toolkit out there that hacks login via the 
>http holes?

Usually such elaborate hacks do not exist, it's more of a modular
three step approach:

	- get on a machine (perhaps thru HTTP, but very common
	  is password snooping)
	- get root (any of the hoels you mention will do)
	- modify libc.so/login.


Casper

• Next message: Marek Michalkiewicz: "Re: R. Thomas's NFS question"
• Previous message: Yossi Gottlieb: "Re: R. Thomas's NFS question"
• In reply to: Alan B. Clegg: "Ok.. who is backdooring /usr/bin/login on SunOS?"