Ok.. who is backdooring /usr/bin/login on SunOS?

[abc () arg com (Alan B. Clegg)]

I have now come upon the 5th example of a 1s compliment passwords being 
put into /usr/bin/login on different systems... Each one has a different 
password, and not all act the same, some allowing you to get in with

         any_userid+given_passwd==root_shell
                 and the other 
        real_userid+given_passwd==real_user_shell [including root]

One of the systems also has the 1s compliment string '/tmp/.tty'.. I have 
yet to see that file used.. is anyone familiar with these attacks?  I've 
looked [briefly, I admit] through the archives of bugtraq and can't find 
any notes on this one...

All of the systems so-compromised have been [at some point] running NCSA 
HTTP servers.  That is the only similar attack route that I have been 
able to pin down.  Is there a toolkit out there that hacks login via the 
http holes?

Other holes found on these systems:

                        Older sendmail with ident code
                        IFS hole for OpenWindows
                        rdist holes

Any ideas?  [BTW, sorry to drag the list off of locating sniffers... 8-)]

-abc

The strongest reason for the people to retain  | Alan B. Clegg
 the right to keep and bear arms is, as a last | Information Systems Manager
 resort, to protect themselves against tyranny | American Research Group
 in government.            -- Thomas Jefferson |