|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Sat, 8 Apr 1995 11:11:12 -0400 From: "Giao H. Phan" <casret@concrete.resnet.upenn.edu> To: linux-alert@tarsier.cv.nrao.edu Reply-To: linux-security@tarsier.cv.nrao.edu Path: netnews.upenn.edu!news.amherst.edu!news.mtholyoke.edu!uhog.mit.edu!news.mathworks.com!panix!not-for-mail From: stimpson@panix.com (S. Joel Katz) Newsgroups: alt.security,comp.security.unix Subject: Trojan in Linux Satan Binaries! Date: 8 Apr 1995 09:46:26 -0400 Organization: PANIX Public Access Internet and Unix, NYC Lines: 55 Message-ID: <3m643i$8ss@panix3.panix.com> NNTP-Posting-Host: panix3.panix.com Summary: There is a Trojan in some releases of the Linux Satan Binaries! Keywords: Satan Trojan Security Xref: netnews.upenn.edu alt.security:23744 comp.security.unix:15029 SECURITY ALERT -- Trojan in Linux Satan Binaries ---------------------------------------------------------------------------- It appears that someone with physical access to my computer inserted a Trojan into my release of the Linux Satan binaries. This definitely affects the versions downloaded from ftp.epinet.com and may affect those from other sites. At least 400 sites have ftp'd the trojan. This Trojan has not been exploited and will not be used. Briefly, if you downloaded Linux Satan Binaries from anywhere, to be safe, create a user named "suser" in your /etc/passwd file, set his password to "*" and his user number to 9955. This will disable the Trojan completely and Satan can still be used. You can obtain the latest info by fingering "satan@router.epinet.com". Mail regarding the trojan should be sent to the same address. Someone I know wanted to make some bizarre point about tools like Satan being useless in the hands of the technically unskilled. He obtained physical access to my machine when I was not in my lab and obtained my password from a log. (Stupid me, when I was having PPP problems, I told chat to log everything -- including my password!) Unfortunately, my PPP password is my Panix password (by their design). This person has no intentions of using the Trojan and only wanted to make a statement, not compromise people's security. When I checked for other tampered files by comparing my system to my last backup, I noticed a copy of the source of the trojan sitting in a directory that contains newbie help for Usenet. It is clear that only the author of the Trojan can exploit it. He is quite remorseful about what he has done. I will release more details including the source shortly. Right now, I want to give people a chance to secure their systems. If you have an "suser" line in your /etc/passwd file, you have been attacked. Change "suser"'s password to "*". If you don't have such a line, add one just to be safe -- the Trojan shuts down if "suser" already exists. Make it user number 9955, and set its password to "*". This problem does not affect any of the source releases. My sincere apologies to those whose system's security may have been compromised. Sincerely, Joel Katz <Stimpson@Panix.COM> (Address replies to satan@router.epinet.com) -- S. Joel Katz Information on Objectivism, Linux, 8031s, and atheism Stimpson@Panix.COM is available at http://www.panix.com/~stimpson/ -- Casret - Pimp Segmentation fault (core dumped) (alpha) @ concrete.resnet.upenn.edu 4000 Flames welcome as they can only mean more publicity.
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |