Re: [Fwd: SANS Flash Alert For Solaris]

[James Triplett <james () mail th net>]

On Tue, Jan 04, 2000 at 03:08:49PM -0800, Peter J Dinauer wrote:
> The hunt is on . . . .

> Received: from SpoolDir by ROADRUNNER (Mercury 1.44); 4 Jan 00 13:10:19 pst8pdt
> If you have a lot of experience with software that is still a bit 
> green, you could really make a contribution to the community by 
> running and testing the scanning program.
>
> If you are less experienced you might want to delay a day or two. 
> But don't delay long, the tool may have a short life span, as the 
> attackers will begin to modify the trojan code to evade detection.
>
> Where to find the software:
>
> The host-based tool from NIPC may be found at:
> http://www.fbi.gov/nipc/trinoo.htm

I suppose this is legit.  However, they are asking us to run
AS ROOT, some unknown executable on all our important systems.
Goes against the most basic security procedures!

No source provided, no way to ensure that this isn't just another trojan...
(even the fbi.gov site could be hacked, and anyway how do they know what
is in the executable?)

James