Re: Possible virus from Rome labs

William McVey (wam@staff.cc.purdue.edu)
Wed, 30 Mar 1994 19:21:09 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: scott@santafe.edu: "Re: Possible virus from Rome labs"
Previous message: Ben Jackson: "Re: Possible virus from Rome labs"
Maybe in reply to: Ron Gilmer: "Possible virus from Rome labs"
Next in thread: Steve Simmons: "Re: Possible virus from Rome labs"

Ben Jackson wrote:
>>   > The files are:
>>   > 
>>   > jnk.tmp
>>   > foosh
>
>Isn't `foosh' the name of the shell created by one of the rdist bug
>exploit scripts?  I don't have access to the archive where I have those
>particular files so I can't check, sorry.
>
>--Ben

/tmp/foosh was in fact the suid root shell generated by the second of
the two rdist exploit scripts.  (The one that overflowed the buffer).
If you're running rdist with setuid permissions, I'd say it is a safe
bet that they used rdist to break root and trojan your binaries.

 -- William

Next message: scott@santafe.edu: "Re: Possible virus from Rome labs"
Previous message: Ben Jackson: "Re: Possible virus from Rome labs"
Maybe in reply to: Ron Gilmer: "Possible virus from Rome labs"
Next in thread: Steve Simmons: "Re: Possible virus from Rome labs"