Re: irssi backdoor question

From: David Chin (dwchin@umich.edu)
Date: 05/28/02


To: focus-linux@securityfocus.com
From: David Chin <dwchin@umich.edu>
Date: Tue, 28 May 2002 13:04:48 -0400


In message <Pine.LNX.4.43.0205270918110.26784-100000@mail.securityfocus.com>, H
al Flynn writes:
> I tried to get a copy of the trojaned source, but was unsuccessful.
>
> From what I can gather, there's two likely scenarios involving this
> problem.
>
> Scenario #1:
> The trojaned code was placed in a section of the source which was only
> executed by the user during the initial ./configure ; make ; make
> install sequence.
>
> ...
>
> Scenario #2:
> The trojaned code was placed in the configure that is executed during the
> make install sequence. This would likely result in execution by root, as
> the default goes to /usr/local. Obviously, this requires administrative
> access for successful installation.
>
> ...

From what I can tell, the trojan only ran during the configure phase, but
not the make nor the install phases.

I can't attach the whole configure script because it exceeds ezmlm's size
quota.

Cheers,
--Dave Chin