* [gwalton@fbi.gov: info from disk]
2000-12-30 6:08 [gwalton@fbi.gov: info from disk] Marc David Rovner
@ 2000-03-29 16:07 ` Marc David Rovner
2000-12-30 6:08 ` Jim Blandy
1 sibling, 0 replies; 6+ messages in thread
From: Marc David Rovner @ 2000-03-29 16:07 UTC (permalink / raw)
To: Mad Overseers of the Source; +Cc: Inmates with keys
Here's the info from the FBI on this matter. Passwords and userid XXX'ed
out to protect the guilty.
Mind you, what they say is "sourceware/egcs" does seem to be cruftware.
That /dev/ptyrg file lives on crufty, not sourceware.
-----Forwarded message from "Gregory W. Walton" <gwalton@fbi.gov>-----
Date: Wed, 29 Mar 2000 13:13:04 -0800
From: "Gregory W. Walton" <gwalton@fbi.gov>
Subject: info from disk
To: mrovner@cygnus.com
Marc,
Below is the data I have found so far relating to cygnus.
Please let me know if you find anything on your end and send it to me.
Thanks,
Greg
----------------------------------------
sourceware/egcs.cygnus.com
==========================
Linux egcs.cygnus.com 2.0.36 #1 Tue Dec 29 20:03:04 GMT 1998 i686 unknown
redhat 4.2
from ssh trojan on red.juniper.net:
Beginning of new ssh log by: XXX
Wed Aug 25 09:53:16 PDT 1999
============================
HOST: egcs.cygnus.com
User name: XXXX
RSA passphrase: XXXXXX
Beginning of new ssh log by: XXX
Tue Aug 24 21:54:34 PDT 1999
============================
HOST: sourceware.cygnus.com
User name: XXXXX
Beginning of new ssh log by: XXX
Tue Aug 24 21:55:11 PDT 1999
============================
HOST: sourceware.cygnus.com
User name: XXX
exploited kterm with smashcap.c, used default offset
ssh and sshd were mode 777! (was version 1.2.22)
put in sshd trojan: ssh -l __bulgm sourceware.cygnus.com
put in ssh trojan: logs to /dev/ptyrg encrypted
basil.cygnus.com
================
Linux basil.cygnus.com 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown
redhat 5.0
exploitd amd from egcs.cygnus.com
put in syslogd-redha ttrojan
-rw-r--r-- 1 root root 1008 Aug 26 04:40 cygnus.com
cvs.cygnus.co.uk
================
from ssh trojan on sourceware.cygnus.com:
Beginning of new ssh log by: XXXXXXXXX
Wed Sep 8 05:26:01 PDT 1999
============================
HOST: cvs.cygnus.co.uk
User name: XXXXXXXX
-----End of forwarded message-----
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gwalton@fbi.gov: info from disk]
2000-12-30 6:08 ` Jim Blandy
@ 2000-03-29 20:00 ` Jim Blandy
2000-12-30 6:08 ` Marc David Rovner
1 sibling, 0 replies; 6+ messages in thread
From: Jim Blandy @ 2000-03-29 20:00 UTC (permalink / raw)
To: Marc David Rovner; +Cc: Mad Overseers of the Source, Inmates with keys
Just out of curiosity, Marc, how did you verify that this fellow is a
genuine FBI person?
> Here's the info from the FBI on this matter. Passwords and userid XXX'ed
> out to protect the guilty.
>
> Mind you, what they say is "sourceware/egcs" does seem to be cruftware.
> That /dev/ptyrg file lives on crufty, not sourceware.
>
> -----Forwarded message from "Gregory W. Walton" <gwalton@fbi.gov>-----
>
> Date: Wed, 29 Mar 2000 13:13:04 -0800
> From: "Gregory W. Walton" <gwalton@fbi.gov>
> Subject: info from disk
> To: mrovner@cygnus.com
>
> Marc,
> Below is the data I have found so far relating to cygnus.
> Please let me know if you find anything on your end and send it to me.
>
> Thanks,
> Greg
> ----------------------------------------
> sourceware/egcs.cygnus.com
> ==========================
> Linux egcs.cygnus.com 2.0.36 #1 Tue Dec 29 20:03:04 GMT 1998 i686 unknown
> redhat 4.2
> from ssh trojan on red.juniper.net:
> Beginning of new ssh log by: XXX
> Wed Aug 25 09:53:16 PDT 1999
> ============================
> HOST: egcs.cygnus.com
> User name: XXXX
> RSA passphrase: XXXXXX
>
> Beginning of new ssh log by: XXX
> Tue Aug 24 21:54:34 PDT 1999
> ============================
> HOST: sourceware.cygnus.com
> User name: XXXXX
>
>
> Beginning of new ssh log by: XXX
> Tue Aug 24 21:55:11 PDT 1999
> ============================
> HOST: sourceware.cygnus.com
> User name: XXX
>
>
>
> exploited kterm with smashcap.c, used default offset
>
>
> ssh and sshd were mode 777! (was version 1.2.22)
>
> put in sshd trojan: ssh -l __bulgm sourceware.cygnus.com
>
> put in ssh trojan: logs to /dev/ptyrg encrypted
>
>
> basil.cygnus.com
> ================
> Linux basil.cygnus.com 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown
> redhat 5.0
>
> exploitd amd from egcs.cygnus.com
>
> put in syslogd-redha ttrojan
> -rw-r--r-- 1 root root 1008 Aug 26 04:40 cygnus.com
>
>
> cvs.cygnus.co.uk
> ================
> from ssh trojan on sourceware.cygnus.com:
> Beginning of new ssh log by: XXXXXXXXX
> Wed Sep 8 05:26:01 PDT 1999
> ============================
> HOST: cvs.cygnus.co.uk
> User name: XXXXXXXX
>
> -----End of forwarded message-----
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gwalton@fbi.gov: info from disk]
2000-12-30 6:08 ` Marc David Rovner
@ 2000-03-30 11:21 ` Marc David Rovner
0 siblings, 0 replies; 6+ messages in thread
From: Marc David Rovner @ 2000-03-30 11:21 UTC (permalink / raw)
To: Mad Overseers of the Source; +Cc: Inmates with keys
> Just out of curiosity, Marc, how did you verify that this fellow is a
> genuine FBI person?
I went to www.fbi.gov, found the local FBI office phone number in San
Francisco, called them up, told them who I was, and inquired about Mr
Walton.
They told me he is an agent currently working for the FBI out of their
office.
- mrovner
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gwalton@fbi.gov: info from disk]
2000-12-30 6:08 ` Jim Blandy
2000-03-29 20:00 ` Jim Blandy
@ 2000-12-30 6:08 ` Marc David Rovner
2000-03-30 11:21 ` Marc David Rovner
1 sibling, 1 reply; 6+ messages in thread
From: Marc David Rovner @ 2000-12-30 6:08 UTC (permalink / raw)
To: Mad Overseers of the Source; +Cc: Inmates with keys
> Just out of curiosity, Marc, how did you verify that this fellow is a
> genuine FBI person?
I went to www.fbi.gov, found the local FBI office phone number in San
Francisco, called them up, told them who I was, and inquired about Mr
Walton.
They told me he is an agent currently working for the FBI out of their
office.
- mrovner
^ permalink raw reply [flat|nested] 6+ messages in thread
* [gwalton@fbi.gov: info from disk]
@ 2000-12-30 6:08 Marc David Rovner
2000-03-29 16:07 ` Marc David Rovner
2000-12-30 6:08 ` Jim Blandy
0 siblings, 2 replies; 6+ messages in thread
From: Marc David Rovner @ 2000-12-30 6:08 UTC (permalink / raw)
To: Mad Overseers of the Source; +Cc: Inmates with keys
Here's the info from the FBI on this matter. Passwords and userid XXX'ed
out to protect the guilty.
Mind you, what they say is "sourceware/egcs" does seem to be cruftware.
That /dev/ptyrg file lives on crufty, not sourceware.
-----Forwarded message from "Gregory W. Walton" <gwalton@fbi.gov>-----
Date: Wed, 29 Mar 2000 13:13:04 -0800
From: "Gregory W. Walton" <gwalton@fbi.gov>
Subject: info from disk
To: mrovner@cygnus.com
Marc,
Below is the data I have found so far relating to cygnus.
Please let me know if you find anything on your end and send it to me.
Thanks,
Greg
----------------------------------------
sourceware/egcs.cygnus.com
==========================
Linux egcs.cygnus.com 2.0.36 #1 Tue Dec 29 20:03:04 GMT 1998 i686 unknown
redhat 4.2
from ssh trojan on red.juniper.net:
Beginning of new ssh log by: XXX
Wed Aug 25 09:53:16 PDT 1999
============================
HOST: egcs.cygnus.com
User name: XXXX
RSA passphrase: XXXXXX
Beginning of new ssh log by: XXX
Tue Aug 24 21:54:34 PDT 1999
============================
HOST: sourceware.cygnus.com
User name: XXXXX
Beginning of new ssh log by: XXX
Tue Aug 24 21:55:11 PDT 1999
============================
HOST: sourceware.cygnus.com
User name: XXX
exploited kterm with smashcap.c, used default offset
ssh and sshd were mode 777! (was version 1.2.22)
put in sshd trojan: ssh -l __bulgm sourceware.cygnus.com
put in ssh trojan: logs to /dev/ptyrg encrypted
basil.cygnus.com
================
Linux basil.cygnus.com 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown
redhat 5.0
exploitd amd from egcs.cygnus.com
put in syslogd-redha ttrojan
-rw-r--r-- 1 root root 1008 Aug 26 04:40 cygnus.com
cvs.cygnus.co.uk
================
from ssh trojan on sourceware.cygnus.com:
Beginning of new ssh log by: XXXXXXXXX
Wed Sep 8 05:26:01 PDT 1999
============================
HOST: cvs.cygnus.co.uk
User name: XXXXXXXX
-----End of forwarded message-----
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [gwalton@fbi.gov: info from disk]
2000-12-30 6:08 [gwalton@fbi.gov: info from disk] Marc David Rovner
2000-03-29 16:07 ` Marc David Rovner
@ 2000-12-30 6:08 ` Jim Blandy
2000-03-29 20:00 ` Jim Blandy
2000-12-30 6:08 ` Marc David Rovner
1 sibling, 2 replies; 6+ messages in thread
From: Jim Blandy @ 2000-12-30 6:08 UTC (permalink / raw)
To: Marc David Rovner; +Cc: Mad Overseers of the Source, Inmates with keys
Just out of curiosity, Marc, how did you verify that this fellow is a
genuine FBI person?
> Here's the info from the FBI on this matter. Passwords and userid XXX'ed
> out to protect the guilty.
>
> Mind you, what they say is "sourceware/egcs" does seem to be cruftware.
> That /dev/ptyrg file lives on crufty, not sourceware.
>
> -----Forwarded message from "Gregory W. Walton" <gwalton@fbi.gov>-----
>
> Date: Wed, 29 Mar 2000 13:13:04 -0800
> From: "Gregory W. Walton" <gwalton@fbi.gov>
> Subject: info from disk
> To: mrovner@cygnus.com
>
> Marc,
> Below is the data I have found so far relating to cygnus.
> Please let me know if you find anything on your end and send it to me.
>
> Thanks,
> Greg
> ----------------------------------------
> sourceware/egcs.cygnus.com
> ==========================
> Linux egcs.cygnus.com 2.0.36 #1 Tue Dec 29 20:03:04 GMT 1998 i686 unknown
> redhat 4.2
> from ssh trojan on red.juniper.net:
> Beginning of new ssh log by: XXX
> Wed Aug 25 09:53:16 PDT 1999
> ============================
> HOST: egcs.cygnus.com
> User name: XXXX
> RSA passphrase: XXXXXX
>
> Beginning of new ssh log by: XXX
> Tue Aug 24 21:54:34 PDT 1999
> ============================
> HOST: sourceware.cygnus.com
> User name: XXXXX
>
>
> Beginning of new ssh log by: XXX
> Tue Aug 24 21:55:11 PDT 1999
> ============================
> HOST: sourceware.cygnus.com
> User name: XXX
>
>
>
> exploited kterm with smashcap.c, used default offset
>
>
> ssh and sshd were mode 777! (was version 1.2.22)
>
> put in sshd trojan: ssh -l __bulgm sourceware.cygnus.com
>
> put in ssh trojan: logs to /dev/ptyrg encrypted
>
>
> basil.cygnus.com
> ================
> Linux basil.cygnus.com 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown
> redhat 5.0
>
> exploitd amd from egcs.cygnus.com
>
> put in syslogd-redha ttrojan
> -rw-r--r-- 1 root root 1008 Aug 26 04:40 cygnus.com
>
>
> cvs.cygnus.co.uk
> ================
> from ssh trojan on sourceware.cygnus.com:
> Beginning of new ssh log by: XXXXXXXXX
> Wed Sep 8 05:26:01 PDT 1999
> ============================
> HOST: cvs.cygnus.co.uk
> User name: XXXXXXXX
>
> -----End of forwarded message-----
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2000-12-30 6:08 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2000-12-30 6:08 [gwalton@fbi.gov: info from disk] Marc David Rovner
2000-03-29 16:07 ` Marc David Rovner
2000-12-30 6:08 ` Jim Blandy
2000-03-29 20:00 ` Jim Blandy
2000-12-30 6:08 ` Marc David Rovner
2000-03-30 11:21 ` Marc David Rovner
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).