From owner-freebsd-security  Wed Jul 25  7:36: 8 2001
Delivered-To: freebsd-security@freebsd.org
Received: from chrome.jdl.com (chrome.jdl.com [209.39.144.2])
	by hub.freebsd.org (Postfix) with ESMTP id F371537B64C
	for <security@FreeBSD.ORG>; Wed, 25 Jul 2001 07:35:19 -0700 (PDT)
	(envelope-from jdl@chrome.jdl.com)
Received: from chrome.jdl.com (localhost [127.0.0.1])
	by chrome.jdl.com (8.9.1/8.9.1) with ESMTP id JAA08445;
	Wed, 25 Jul 2001 09:10:52 -0500 (CDT)
	(envelope-from jdl@chrome.jdl.com)
Message-Id: <200107251410.JAA08445@chrome.jdl.com>
To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
Cc: David G Andersen <danderse@cs.utah.edu>,
	Peter Pentchev <roam@orbitel.bg>, security@FreeBSD.ORG
Subject: Re: Security Check Diffs Question 
In-reply-to: Your message of "Wed, 25 Jul 2001 08:36:31 +0200."
             <Pine.BSF.4.21.0107250806460.1102-100000@lhotse.zaraska.dhs.org> 
Clarity-Index: null
Threat-Level: none
Software-Engineering-Dead-Seriousness: There's no excuse for unreadable code.
Net-thought: If you meet the Buddha on the net, put him in your Kill file.
Date: Wed, 25 Jul 2001 09:10:52 -0500
From: Jon Loeliger <jdl@jdl.com>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

So, like Krzysztof Zaraska was saying to me just the other day:
> On Tue, 24 Jul 2001, David G Andersen wrote:
> 
> >   It's probably a simple trojan with a pretty interface on it that
> > says, (if username == "root", ask for their password.  If crypt(input) ==
> > that stored password, grant access to the system).
>
> I agree that this is the way this thing should work, but I was wondering:
> I string original ypchfn and I see a bunch of lines like "no uid for %s"
> resembling arguments for printf() so I guess that is ypchfn's user
> interface. But in this trojan I can't see neither these lines nor
> something resembling a path to the original ypchfn. So, my question is:
> how does it masquerade to the user as original ypchfn not having it's user
> interface inside? Or, maybe, the trojan contains ypchfn-like user
> interface but it cannot be seen with by running strings on it?

So I'm willing to `od` this executable and send it to someone
if someone is, like, seriously wanting to reverse engineer it.
Or perhaps even `nm` it too.

I'm personally not spending time reverse engineering it until I get
a DMZ firewall in place. :-)

jdl

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message