1. got hold of one of the user's password.
2. put in the libroot.so trojan horse
3. telneted into the machine seting the LD_PRELOAD with the path to the
library
4. Thus got in without a login prompt as root.
So as you were asking.. the person did not get the password. He/she/it
just got around it.
There should be a fixed telnetd somewhere you can use that limits
environment variables. Or you can recompile telnetd.
Nick.
On Thu, 2 Jan 1997, Harald Hoyer wrote:
> Hi,
>
> excuse me because of this offtopic, but I think this is also very
> interesting to You (good programers).
>
> At Dec 30 we had a visit of someone from sampo.karelia.ru.
> We don't know where he got the passwd of one of our users,
> but ... shit happens.
>
> The first thing he/she/it did was downloading two files named:
> my_lib and my_library.so (attached).
>
> Two days after that (main logs are cleared), he got the root-password.
> Don't ask me how, it is a shadow System with /etc/shadow readonly for
> root.
>
> He/she/it installed a new /etc/shadow with himself as a user and
> installed a tcp/ip-snooper to get more passwords.
>
> NOW MY QUESTION IS HOW DID HE GET THE PASSWORD? Maybe with my_lib* ?
> May someone have a look at this files, please and mail me his comment?
>
>
> And beware from logins of these hosts:
>
> sampo.karelia.ru
> kftt-runnet.karelia.ru
> www.ci.houston.tx.us
> ashton.lib.dixie.edu
> ferret-world.csc.peachnet.edu
> gw.kppublish.ru
>
> Best wishes for the new year,
>
> Harald
>
> --
> Harald Hoyer
> saturn@studbox.uni-stuttgart.de
> http://saturnnet.wh.uni-stuttgart.de/~saturn
> -------------------------------------------------------------------------
> > Someone:
> > Asking Linus to add such things in the kernel is as pertinent as asking
> > to still support 80286 CPU (IMHO).
> We are working on it.
> Alan Cox
>