[lug] Weird su/sudo/login/ssh/mail problem
Bear Giles
bgiles at coyotesong.com
Fri Apr 5 11:25:23 MST 2002
> Hmmm, "/dev/log" is a string _constant_ used by the libc functions openlog etc.
> What does the following yield:
>
> strings /lib/libc.so.6 | perl -ne 'print "Log socket at >$1<\n" if m|(\s*dev/log)|;'
I am simple country folk, I can only afford a 'grep'. It's "/dev/log",
without leading spaces. Unless 'strings' truncates any leading spaces
itself.
> Err, is your login binary "patched" ?
Sure. No I take that back - the encrypted FS mods apply to 'mount,'
not 'login,' and they're in the same source package even through Debian
packages them separately.
Login is untouched. I just forced a reinstall and the md5 signatures
are unchanged. This doesn't mean much with a sophisticated root kit,
of course, but I'm hardly opening mail from strangers in my Linux Outlook
MUA.
But if my memory is correct, the problems did start around the time
I sync'd against the Debian security server. One nightmare scenario
has long been embedding a root kit into a package on a security package
server.
Bear
More information about the LUG
mailing list