[199] in linux-security and linux-alert archive
Trojan in Linux Satan Binaries
daemon@ATHENA.MIT.EDU (S. Joel Katz)
Sat Apr 8 11:59:26 1995
Date: Sat, 8 Apr 1995 09:41:03 -0400 (EDT)
From: "S. Joel Katz" <stimpson@panix.com>
To: okir@monad.swb.de
Reply-To: linux-security@tarsier.cv.nrao.edu
[mod: I could not verify these claims in any way; nor could I verify
if this mail is really from Joel Katz because the message
was not PGP-signed. Therefore, I'm not signing this post to
linux-alert either. You should take this warning serious
nevertheless. --okir]
----------------------------------------------------------------------------
SECURITY ALERT -- Trojan in Linux Satan Binaries
----------------------------------------------------------------------------
It appears that someone with physical access to my computer inserted
a Trojan into my release of the Linux Satan binaries. This definitely
affects the versions downloaded from ftp.epinet.com and may affect those
from other sites. At least 400 sites have ftp'd the trojan.
This Trojan has not been exploited and will not be used.
Briefly, if you downloaded Linux Satan Binaries from anywhere, to be
safe, create a user named "suser" in your /etc/passwd file, set his password
to "*" and his user number to 9955. This will disable the Trojan completely
and Satan can still be used.
You can obtain the latest info by fingering
"satan@router.epinet.com". Mail regarding the trojan should be sent to the
same address.
Someone I know wanted to make some bizarre point about tools like
Satan being useless in the hands of the technically unskilled. He obtained
physical access to my machine when I was not in my lab and obtained my
password from a log. (Stupid me, when I was having PPP problems, I told chat
to log everything -- including my password!) Unfortunately, my PPP password
is my Panix password (by their design).
This person has no intentions of using the Trojan and only wanted to
make a statement, not compromise people's security. When I checked for other
tampered files by comparing my system to my last backup, I noticed a copy of
the source of the trojan sitting in a directory that contains newbie help
for Usenet. It is clear that only the author of the Trojan can exploit it.
He is quite remorseful about what he has done.
I will release more details including the source shortly. Right now,
I want to give people a chance to secure their systems. If you have an
"suser" line in your /etc/passwd file, you have been attacked. Change
"suser"'s password to "*".
If you don't have such a line, add one just to be safe -- the Trojan
shuts down if "suser" already exists. Make it user number 9955, and set its
password to "*".
This problem does not affect any of the source releases. My sincere
apologies to those whose system's security may have been compromised.
Sincerely,
Joel Katz <Stimpson@Panix.COM>
(Address replies to satan@router.epinet.com)
