[205] in linux-security and linux-alert archive
Linux Security FAQ Update: Trojan in Satan Binaries
daemon@ATHENA.MIT.EDU (Alexander O. Yuriev)
Thu Apr 13 18:41:43 1995
Date: Mon, 10 Apr 1995 13:33:38 -0400 (EDT)
From: "Alexander O. Yuriev" <alex@bach.cis.temple.edu>
To: linux-security@tarsier.cv.nrao.edu
Hello,
This is an update of Linux Security FAQ. I'm again thinking about
sending sendmail KILL signal - 230 messages to read/reply. ;-)
Best wishes,
Alex
----------CUT-HERE-------------CUT-HERE-----------CUT-HERE-------------
LINUX Satan Alert
Trojan Horse in Linux Binaries
LINUX SECURITY FAQ UPDATE
Copyright (C) 1995 Alexander O. Yuriev, CIS Laboratories
TEMPLE UNIVERSITY
<alex@bach.cis.temple.edu>
In cooperation with Jeff Uphoff <juphoff@tarsier.cs.nrao.edu> and
Olaf Kirch <okir@monad.swb.de>
BRIEFLY
It came to our attention that some pre-compiled Linux SATAN Binaries
create a user 'suser' with GID 0 in /etc/passwd.
SATAN IS NOT SUPPOSED TO DO IT!
===============================
To check if your binary is compromised use command "strings * | grep
suser" in Satan's root directory and Satan's bin/ subdirectory. All
compromised binaries are likely to show a string with 'suser'.
If your system was compromised, delete user 'suser' from password
file and obtain another copy of Satan. You can also place '*' in the
password field of /etc/passwd to block 'susers' attacks.
SITES THAT DISTRIBUTED COMPROMISED SATAN BINARIES
The compromised SATAN binaries were placed on the following FTP
site:
ftp://router.epinet.com
From what we know that binary then was re-distributed to other
Linux FTP sites.
There is NO Trojan horse in the Satan patch that is currently on the
sunsite.unc.edu in the /pub/Linux/Incoming.
WERE ANY SITES COMPROMISED USING THIS TROJAN HORSE?
We are aware of two cases where system security had been compromised
using the Trojan horse in Satan Binaries. The GID of 'suser' being
equal to 0, allowed intruders to modify Group-Writable files on a
system.
HOW CAN I DETECT IF MY SITE WAS ATTACKED?
Scan your system logs for 'suser' logins using
grep suser /usr/adm/{syslog|messages}
ARE THERE ANY SITES THAT ATTEMP TO PERFORM UNATHORISED ACCESS TO
SYSTEMS USING THE BACKDOOR CREATED BY SATAN?
That site is 'router.epinet.com'. Some of the messages in
comp.unix.security and other newsgroups urge you to send email
to satan@router.epinet.com if you suspect that your system was
compromised. PLEASE DO NOT DO IT! Even if the person
'satan@router.epinet.com' is not going to attack you, think about
the number of people that could sniff that message!
------CUT-HERE---------------------CUT-HERE-------------CUT-HERE--------
=============================================================================
CIS Laboratories email: alex@bach.cis.temple.edu
TEMPLE UNIVERSITY ayuriev@yoda.cis.temple.edu
USA Tel: 1-800-DEV-NULL
=============================================================================
