From owner-freebsd-security  Tue Jul 24 23:37:19 2001
Delivered-To: freebsd-security@freebsd.org
Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169])
	by hub.freebsd.org (Postfix) with ESMTP id 4448C37B406
	for <security@FreeBSD.ORG>; Tue, 24 Jul 2001 23:37:01 -0700 (PDT)
	(envelope-from kzaraska@student.uci.agh.edu.pl)
Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001)
	id 973D41C67; Wed, 25 Jul 2001 08:36:32 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP
	id 41F335475; Wed, 25 Jul 2001 08:36:32 +0200 (CEST)
Date: Wed, 25 Jul 2001 08:36:31 +0200 (CEST)
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
X-Sender: kzaraska@lhotse.zaraska.dhs.org
To: David G Andersen <danderse@cs.utah.edu>
Cc: Peter Pentchev <roam@orbitel.bg>, Jon Loeliger <jdl@jdl.com>,
	security@FreeBSD.ORG
Subject: Re: Security Check Diffs Question
In-Reply-To: <200107242359.f6ONx9U09628@faith.cs.utah.edu>
Message-ID: <Pine.BSF.4.21.0107250806460.1102-100000@lhotse.zaraska.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, 24 Jul 2001, David G Andersen wrote:

>   It's probably a simple trojan with a pretty interface on it that
> says, (if username == "root", ask for their password.  If crypt(input) ==
> that stored password, grant access to the system).
I agree that this is the way this thing should work, but I was wondering:
I string original ypchfn and I see a bunch of lines like "no uid for %s"
resembling arguments for printf() so I guess that is ypchfn's user
interface. But in this trojan I can't see neither these lines nor
something resembling a path to the original ypchfn. So, my question is:
how does it masquerade to the user as original ypchfn not having it's user
interface inside? Or, maybe, the trojan contains ypchfn-like user
interface but it cannot be seen with by running strings on it?







To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message