Date: Wed, 25 Jul 2001 09:10:52 -0500 From: Jon Loeliger <jdl@jdl.com> To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> Cc: David G Andersen <danderse@cs.utah.edu>, Peter Pentchev <roam@orbitel.bg>, security@FreeBSD.ORG Subject: Re: Security Check Diffs Question Message-ID: <200107251410.JAA08445@chrome.jdl.com> In-Reply-To: Your message of "Wed, 25 Jul 2001 08:36:31 %2B0200." <Pine.BSF.4.21.0107250806460.1102-100000@lhotse.zaraska.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
So, like Krzysztof Zaraska was saying to me just the other day: > On Tue, 24 Jul 2001, David G Andersen wrote: > > > It's probably a simple trojan with a pretty interface on it that > > says, (if username == "root", ask for their password. If crypt(input) == > > that stored password, grant access to the system). > > I agree that this is the way this thing should work, but I was wondering: > I string original ypchfn and I see a bunch of lines like "no uid for %s" > resembling arguments for printf() so I guess that is ypchfn's user > interface. But in this trojan I can't see neither these lines nor > something resembling a path to the original ypchfn. So, my question is: > how does it masquerade to the user as original ypchfn not having it's user > interface inside? Or, maybe, the trojan contains ypchfn-like user > interface but it cannot be seen with by running strings on it? So I'm willing to `od` this executable and send it to someone if someone is, like, seriously wanting to reverse engineer it. Or perhaps even `nm` it too. I'm personally not spending time reverse engineering it until I get a DMZ firewall in place. :-) jdl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200107251410.JAA08445>