>I have now come upon the 5th example of a 1s compliment passwords being >put into /usr/bin/login on different systems... Each one has a different >password, and not all act the same, some allowing you to get in with > > any_userid+given_passwd==root_shell > and the other > real_userid+given_passwd==real_user_shell [including root] > >One of the systems also has the 1s compliment string '/tmp/.tty'.. I have >yet to see that file used.. is anyone familiar with these attacks? I've >looked [briefly, I admit] through the archives of bugtraq and can't find >any notes on this one... The attack looks familiar, though I've only seen it with one of the passwords as 1-complement, the other as plain text. I've only seen it as change to a dynamically linked libc on SunOS 4 machines (replacing crypt w/ its own routines). >All of the systems so-compromised have been [at some point] running NCSA >HTTP servers. That is the only similar attack route that I have been >able to pin down. Is there a toolkit out there that hacks login via the >http holes? Usually such elaborate hacks do not exist, it's more of a modular three step approach: - get on a machine (perhaps thru HTTP, but very common is password snooping) - get root (any of the hoels you mention will do) - modify libc.so/login. Casper