Slidey,
> as well as these files, /bin/egrep is trojaned.
> every time this runs, it seems to start up the 3
> backdoors. on startup of this particular machine,
> egrep was run in /etc/rc.d/rc causing the
> backdoors to be started each time the machine was
> started.
Well, not *every* time. It appears it is trojaned to run /bin/die only
when certain errors occur during execution, but this can trivially be
made to happen on demand, e.g.:
# ./egrep foo /dev/zero
egrep: memory exhausted
sh: /bin/die: No such file or directory
As seen by ltrace:
__libc_start_main(0x0804aab8, 3, 0xbffffbc4, 0x08048d50, 0x08051ebc
<unfinished
...>
__register_frame_info(0x08054aac, 0x08054c84, 0xbffffb84, 0x08048d75,
0x4010a1ec
) = 0x4010ad40
strrchr("./egrep", '/') = "/egrep"
strrchr("./egrep", '/') = "/egrep"
setlocale(6, "") = "en_US"
bindtextdomain("grep", "/usr/local/share/locale") =
"/usr/local/share/locale"
textdomain("grep") = "grep"
getenv("GREP_OPTIONS") = NULL
. . .
realloc(0x4012d008, 671092736) = NULL
__dcgettext(NULL, "memory exhausted", 5) = "memory exhausted"
fprintf(0x40108a40, "%s: %s\n", "egrep", "memory exhausted") = 24
system("/bin/die" <unfinished ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 32256
exit(2) = <void>
__deregister_frame_info(0x08054aac, 0xbffffa6c, 0x08051ed1, 0x4010a1ec,
0xbffffa
80) = 0x08054c84
+++ exited (status 2) +++
There are about a dozen places that call the function "error" (which
contains the system() call). Does this look like what was happening
with the rc file?
--
Dave Dittrich Computing & Communications
dittrich_at_cac.washington.edu Client Services
http://staff.washington.edu/dittrich University of Washington
PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5
Received on Dec 06 2000
Intro
