[lug] Weird su/sudo/login/ssh/mail problem

Bear Giles bgiles at coyotesong.com
Fri Apr 5 11:25:23 MST 2002


> Hmmm, "/dev/log" is a string _constant_ used by the libc functions openlog etc.
> What does the following yield:
>  
>   strings /lib/libc.so.6  | perl -ne 'print "Log socket at >$1<\n" if m|(\s*dev/log)|;'
 
I am simple country folk, I can only afford a 'grep'.  It's "/dev/log",
without leading spaces.  Unless 'strings' truncates any leading spaces
itself.

> Err, is your login binary "patched" ?

Sure.  No I take that back - the encrypted FS mods apply to 'mount,'
not 'login,' and they're in the same source package even through Debian
packages them separately.

Login is untouched.  I just forced a reinstall and the md5 signatures
are unchanged.  This doesn't mean much with a sophisticated root kit,
of course, but I'm hardly opening mail from strangers in my Linux Outlook
MUA.

But if my memory is correct, the problems did start around the time
I sync'd against the Debian security server.  One nightmare scenario
has long been embedding a root kit into a package on a security package
server.

Bear



More information about the LUG mailing list