Bugtraq mailing list archives
Re: Possible virus from Rome labs
From: wam () staff cc purdue edu (William McVey)
Date: Wed, 30 Mar 1994 19:21:09 -0500
Ben Jackson wrote:
> The files are: > > jnk.tmp > fooshIsn't `foosh' the name of the shell created by one of the rdist bug exploit scripts? I don't have access to the archive where I have those particular files so I can't check, sorry. --Ben
/tmp/foosh was in fact the suid root shell generated by the second of the two rdist exploit scripts. (The one that overflowed the buffer). If you're running rdist with setuid permissions, I'd say it is a safe bet that they used rdist to break root and trojan your binaries. -- William
Current thread:
- Possible virus from Rome labs Ron Gilmer (Mar 30)
- Re: Possible virus from Rome labs Ben Jackson (Mar 30)
- Re: Possible virus from Rome labs Steve Simmons (Mar 30)
- Re: Possible virus from Rome labs Evil Pete (Mar 30)
- Re: Possible virus from Rome labs Aggelos D. Keromitis (Mar 31)
- Re: Possible virus from Rome labs Evil Pete (Mar 30)
- Re: Possible virus from Rome labs Gene Spafford (Mar 30)
- <Possible follow-ups>
- Re: Possible virus from Rome labs William McVey (Mar 30)
- Re: Possible virus from Rome labs scott () santafe edu (Mar 30)