I have now come upon the 5th example of a 1s compliment passwords being put into /usr/bin/login on different systems... Each one has a different password, and not all act the same, some allowing you to get in with any_userid+given_passwd==root_shell and the other real_userid+given_passwd==real_user_shell [including root] One of the systems also has the 1s compliment string '/tmp/.tty'.. I have yet to see that file used.. is anyone familiar with these attacks? I've looked [briefly, I admit] through the archives of bugtraq and can't find any notes on this one... All of the systems so-compromised have been [at some point] running NCSA HTTP servers. That is the only similar attack route that I have been able to pin down. Is there a toolkit out there that hacks login via the http holes? Other holes found on these systems: Older sendmail with ident code IFS hole for OpenWindows rdist holes Any ideas? [BTW, sorry to drag the list off of locating sniffers... 8-)] -abc The strongest reason for the people to retain | Alan B. Clegg the right to keep and bear arms is, as a last | Information Systems Manager resort, to protect themselves against tyranny | American Research Group in government. -- Thomas Jefferson |