Security Incidents mailing list archives

Re: backdoor in freebsd found..

From: Rainer Weikusat <weikusat () mail uni-mainz de>
Date: 19 Aug 2001 13:38:39 +0200

Renee Teunissen <renee () wittenburg10c nl> writes:

it can be found on http://sms.pts.nl/renee/getty.gz (4KB).


This is a small forking tcp-server implementing three commands
(superficial analysis w/o much detail):

- kk1753834298:<filename>

  Open the named file and send its contents over the net.

- kk876398366:<filename>

  Open the named file for writing. It then starts reading lines from
  the net. If the first char is '-' (0x2d), the remains are 'somehow'
  unmangled (possibly decrypted, dunno) and written to the file. A
  line starting with a dot (0x2e) causes the file to be closed and
  the server subprocess to terminate. Anything else is silently
  ignored. 
 
- 2iy4fv:<shell command>

  Duplicate 0, 1, 2 onto the TCP-connection and execute
  <shell command> via system(3).

Anything else is ignored.

-- 
stone me

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

backdoor in freebsd found.. Renee Teunissen (Aug 18)
- Re: backdoor in freebsd found.. Rainer Weikusat (Aug 19)