From: wietse@porcupine.org
Sent: Monday, August 27, 2001 9:32 PM
To: Renee Teunissen
Cc: forensics@securityfocus.com
Subject: Re: Strange getty found on FreeBSD 4.3-stable.

Backdoor programs like this usually require a password; and the
password is usually obfuscated (the days that ankle biters used
the SCCS version string are long gone).

If you are confident that the program is safe you can run it inside
a shared library sandbox.

For example, when a program uses strcmp() to compare your input
against the expected password, you could run it with an ersatz
strcmp() routine that prints the expected password:

    % cat strcmp.c
    strcmp(const char *a1, const char *a2)
    {
            printf("strcmp \"%s\" \"%s\"\n", a1, a2);
            return(0);
    }
    % cc -shared -o strcmp.so strcmp.c
    % (setenv LD_PRELOAD `pwd`/strcmp.so; ./backdoor)

The above applies to FreeBSD 4.mumble. Details may differ for other
systems.

	Wietse

Renee Teunissen:
> 
> Hi,
> 
> A few days ago I checked a clients machine for problems, sinds two
> (unknown)
> uderid's where added. After some seaching, nmapping I found TCP port 54
> to be
> open and with lsof if found a small backdoor installed as
> /usr/bin/getty.
> 
> So far as I can see it's just a simple backdoor, only connecting to it
> with
> netcat didnt give me what I tought I should get. Anyone any idears?  I
> put the
> "getty" on one of my boss' machines, it can be found on
> http://sms.pts.nl/renee/getty.gz (4KB).
> 
> Strings gives me something that could be a userid or something like
> this. Anyone
> seen thisone before? And I think they got in using a faulty telnetd.
> 
> Cheers,
> Renee.

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com