We have recently seen a new trojan that I figured would
be interesting to add to your list of trojan'd programs.
kill(1)
kill is called as the last argument from roots cron job of
/usr/lib/newsyslog thus putting in a trojan "kill" program allows
bad-guys to have their trojan run weekly when newsyslog is run
out of roots cron.
This is used by bad-guy to be able to re-open a host every week
in the event that they are discovered.
list of trojans I have seen:
login
in.telnetd
telnet
rlogin
rcp
in.rlogind
libc
=======================================================================
|
Full Time: Sr. Network Security Analyst |Part time: *space PI
ENS Network Security Group | and Consultant
Sun Microsystems Inc. |
=======================================================================
The views expressed are those of the author and may
not reflect the views of Sun Microsystems Inc.
=======================================================================
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.2
mQCNAiq2bNAAAAED/jcU8FskGaTrTFV4LwbneWm89c6JQrqU3J+vPWvZbr76ndl8
b6BCcM6d0DtDKGNTKNFSLHm455R8HufBfMKfvyUQ8leXLai+Xb7iziYCotyqZ7yg
LrQVBaUpfji9BdE4VcMBUjQJgwoOG10TqBUq6C+OOUmINRaU7eLjJfWe0HFrAAUR
tDJCcmFkIE0uIFBvd2VsbCA8YnJhZC5wb3dlbGxAb2x5bXBpY3MuQ29ycC5TdW4u
Q09NPg==
=g+fx
-----END PGP PUBLIC KEY BLOCK-----