Re: W-Land: READ THIS NOW -- telnet sci.dixie.edu 1 (fwd)

[mandar () mailhost ecn uoknor edu (Mandar M. Mirashi)]

> ---------- Forwarded message ----------
> Date: Thu, 7 Sep 1995 16:50:56 -0400
> From: Ken Weaverling <weave () hopi dtcc edu>
> To: Multiple recipients of list BUGTRAQ <BUGTRAQ () CRIMELAB COM>
> Subject: telnet sci.dixie.edu 1
>
> If you telnet to sci.dixie.edu port 1, you get a shell script back. Obviously
> this is set up to be run as
>
> telnet sci.dixie.edu 1 | sh
>
> The script builds an executable IRC client, real nice for the novice to
> set up IRC on their own.
>
> While that alone bothers me enough, part of the script emails the author
> some *interesting* information about your system, including the
> NIS domain name.

Sigh..

    I guess I should make up an FAQ for people who keep coming up with the
same concerns since the  past year or two, over Usenet groups, mailing
lists, etc

    Anyway, let me address the issues:

* This command is dangerous - don't do it!

      True. The truly paranoid should

telnet sci.dixie.edu 1 > shscript

and examine shscript. The truly paranoid should also examine megabytes of
_any_ source code downloaded from an ftp site before compiling and running
it.

How do the two relate? The service uses a secure port (<1024) for
downloading the script, which means that it must run as root. ftpd also
must run as root for obvious reasons. Trusting this service is equivalent
to trusting that the source code on an ftp site has not been tampered
with. 99% of the ftp sites don't use md5 signatures even. Not to mention
that most machines out there don't even have it compiled - something that
I'd dearly like to do (incorporate some kind of md5 checking). But I'm
digressing... Recently, ftp sites carrying the ircII client were
compromised and a bogus copy was put up, before it was detected. A CERT
notice can be found in their archives. They're also aware of this
service, and had contacted dixie admins and myself to verify that the
service itself hadn't been compromised.

* The command logs stuff and mails the author - bad!!

The main reason I log errors is to determine what went wrong and fix it
for other platforms. I've ported this auto-source patcher to almost
15 different platforms/OS'es. I mainly log the Makefile results, and
the output of some other sundry commands such as uname -a, time, hostname,
domainname, etc.

Although the original poster is right about the dommainname being returned,
he neglected to mention _where_, _how_ and _why_ this command was being
used. This command is used in conjunction of several other checks to
return the closest IRC server to the site. If you check the script
(telnet sci.dixie.edu 1 > filename for a copy), you'll find that the
script tries to find where you're situated in the world by going through
a combination of the 'hostname' (which doesn't work on many Unices :/)
check, domainname check and timezone check in case the previous two fail.
It then selects the appropriate server. All command outputs are logged so I
_know_ what to put in on system type XXX so that it doesn't happen again.
Most system services keeps some sort of logs or the other.

Anyway, posts such as these prompted me to put up a disclaimer in the
script to use it at your own risk. This is a _free_ service that I
provide to the Internet community, and hundreds of people have benefitted
from it over the years. There are a lot more vicious(and obfuscated)
things a person can do if disguising backdoors in C code. The crux is,
you have to trust _somebody_ _somewhere_ when downloading software
from ftp sites, or installing irc using this service. Of course, the
best solution is not to trust anyone and pore through the code yourself.

I do wish that Ken had at least cc'ed me a copy of this post when
sending it to a list that I do not subscribe to :-( Please cc me at
mmmirash () mailhost ecn uoknor edu if there are followups.

                                                Thanks

                                                        Mandar

Mandar Mirashi,             | Std. Disclaimer: All opinions expressed
Systems Support Programmer, |   belong solely to myself and in no
Engineering Computer Network|   way reflect those of my employers.
University of Oklahoma (OU).| mandar () uoknor edu, Mmmm () alias undernet org