[1761] in bugtraq
Ok.. who is backdooring /usr/bin/login on SunOS?
daemon@ATHENA.MIT.EDU (Alan B. Clegg)
Wed May 10 10:49:52 1995
Date: Wed, 10 May 1995 09:02:10 -0400 (EDT)
From: "Alan B. Clegg" <abc@arg.com>
To: bugtraq@fc.net
I have now come upon the 5th example of a 1s compliment passwords being
put into /usr/bin/login on different systems... Each one has a different
password, and not all act the same, some allowing you to get in with
any_userid+given_passwd==root_shell
and the other
real_userid+given_passwd==real_user_shell [including root]
One of the systems also has the 1s compliment string '/tmp/.tty'.. I have
yet to see that file used.. is anyone familiar with these attacks? I've
looked [briefly, I admit] through the archives of bugtraq and can't find
any notes on this one...
All of the systems so-compromised have been [at some point] running NCSA
HTTP servers. That is the only similar attack route that I have been
able to pin down. Is there a toolkit out there that hacks login via the
http holes?
Other holes found on these systems:
Older sendmail with ident code
IFS hole for OpenWindows
rdist holes
Any ideas? [BTW, sorry to drag the list off of locating sniffers... 8-)]
-abc
The strongest reason for the people to retain | Alan B. Clegg
the right to keep and bear arms is, as a last | Information Systems Manager
resort, to protect themselves against tyranny | American Research Group
in government. -- Thomas Jefferson |
