From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jim Blandy <jimb@zwingli.cygnus.com>
To: Marc David Rovner <mrovner@cygnus.com>
Cc: Mad Overseers of the Source <overseers@sourceware.cygnus.com>, Inmates with keys <cyrh-list@redhat.com>
Subject: Re: [gwalton@fbi.gov: info from disk]
Date: Sat, 30 Dec 2000 06:08:00 -0000
Message-id: <npzorhyun1.fsf@zwingli.cygnus.com>
References: <20000329160729.15808@cygnus.com>
X-SW-Source: 2000/msg00293.html

Just out of curiosity, Marc, how did you verify that this fellow is a
genuine FBI person?



> Here's the info from the FBI on this matter.  Passwords and userid XXX'ed
> out to protect the guilty.
> 
> Mind you, what they say is "sourceware/egcs" does seem to be cruftware.
> That /dev/ptyrg file lives on crufty, not sourceware.
> 
> -----Forwarded message from "Gregory W. Walton" <gwalton@fbi.gov>-----
> 
> Date: Wed, 29 Mar 2000 13:13:04 -0800
> From: "Gregory W. Walton" <gwalton@fbi.gov>
> Subject: info from disk
> To: mrovner@cygnus.com
> 
> Marc,
> Below is the data I have found so far relating to cygnus.
> Please let me know if you find anything on your end and send it to me.
> 
> Thanks,
> Greg
> ----------------------------------------
> sourceware/egcs.cygnus.com
> ==========================
> Linux egcs.cygnus.com 2.0.36 #1 Tue Dec 29 20:03:04 GMT 1998 i686 unknown
> redhat 4.2
> from ssh trojan on red.juniper.net:
> Beginning of new ssh log by: XXX
> Wed Aug 25 09:53:16 PDT 1999
> ============================
> HOST: egcs.cygnus.com
> User name: XXXX
> RSA passphrase: XXXXXX
> 
> Beginning of new ssh log by: XXX
> Tue Aug 24 21:54:34 PDT 1999
> ============================
> HOST: sourceware.cygnus.com
> User name: XXXXX
> 
> 
> Beginning of new ssh log by: XXX
> Tue Aug 24 21:55:11 PDT 1999
> ============================
> HOST: sourceware.cygnus.com
> User name: XXX
> 
> 
> 
> exploited kterm with smashcap.c, used default offset
> 
> 
> ssh and sshd were mode 777! (was version 1.2.22)
> 
> put in sshd trojan: ssh -l __bulgm sourceware.cygnus.com
> 
> put in ssh trojan: logs to /dev/ptyrg encrypted
> 
> 
> basil.cygnus.com
> ================
> Linux basil.cygnus.com 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown
> redhat 5.0
> 
> exploitd amd from egcs.cygnus.com
> 
> put in syslogd-redha ttrojan
> -rw-r--r--   1 root     root         1008 Aug 26 04:40 cygnus.com
> 
> 
> cvs.cygnus.co.uk 
> ================
> from ssh trojan on sourceware.cygnus.com:
> Beginning of new ssh log by: XXXXXXXXX
> Wed Sep  8 05:26:01 PDT 1999
> ============================
> HOST: cvs.cygnus.co.uk
> User name: XXXXXXXX
> 
> -----End of forwarded message-----
> 

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Jim Blandy <jimb@zwingli.cygnus.com>
To: Marc David Rovner <mrovner@cygnus.com>
Cc: Mad Overseers of the Source <overseers@sourceware.cygnus.com>, Inmates with keys <cyrh-list@redhat.com>
Subject: Re: [gwalton@fbi.gov: info from disk]
Date: Wed, 29 Mar 2000 20:00:00 -0000
Message-ID: <npzorhyun1.fsf@zwingli.cygnus.com>
References: <20000329160729.15808@cygnus.com>
X-SW-Source: 2000-q1/msg00120.html
Message-ID: <20000329200000.cAkRxUzyj94QSgjJ7IKy1ON6MeYLk3ZZn0kW_cog_tE@z>

Just out of curiosity, Marc, how did you verify that this fellow is a
genuine FBI person?



> Here's the info from the FBI on this matter.  Passwords and userid XXX'ed
> out to protect the guilty.
> 
> Mind you, what they say is "sourceware/egcs" does seem to be cruftware.
> That /dev/ptyrg file lives on crufty, not sourceware.
> 
> -----Forwarded message from "Gregory W. Walton" <gwalton@fbi.gov>-----
> 
> Date: Wed, 29 Mar 2000 13:13:04 -0800
> From: "Gregory W. Walton" <gwalton@fbi.gov>
> Subject: info from disk
> To: mrovner@cygnus.com
> 
> Marc,
> Below is the data I have found so far relating to cygnus.
> Please let me know if you find anything on your end and send it to me.
> 
> Thanks,
> Greg
> ----------------------------------------
> sourceware/egcs.cygnus.com
> ==========================
> Linux egcs.cygnus.com 2.0.36 #1 Tue Dec 29 20:03:04 GMT 1998 i686 unknown
> redhat 4.2
> from ssh trojan on red.juniper.net:
> Beginning of new ssh log by: XXX
> Wed Aug 25 09:53:16 PDT 1999
> ============================
> HOST: egcs.cygnus.com
> User name: XXXX
> RSA passphrase: XXXXXX
> 
> Beginning of new ssh log by: XXX
> Tue Aug 24 21:54:34 PDT 1999
> ============================
> HOST: sourceware.cygnus.com
> User name: XXXXX
> 
> 
> Beginning of new ssh log by: XXX
> Tue Aug 24 21:55:11 PDT 1999
> ============================
> HOST: sourceware.cygnus.com
> User name: XXX
> 
> 
> 
> exploited kterm with smashcap.c, used default offset
> 
> 
> ssh and sshd were mode 777! (was version 1.2.22)
> 
> put in sshd trojan: ssh -l __bulgm sourceware.cygnus.com
> 
> put in ssh trojan: logs to /dev/ptyrg encrypted
> 
> 
> basil.cygnus.com
> ================
> Linux basil.cygnus.com 2.0.32 #1 Wed Nov 19 00:46:45 EST 1997 i586 unknown
> redhat 5.0
> 
> exploitd amd from egcs.cygnus.com
> 
> put in syslogd-redha ttrojan
> -rw-r--r--   1 root     root         1008 Aug 26 04:40 cygnus.com
> 
> 
> cvs.cygnus.co.uk 
> ================
> from ssh trojan on sourceware.cygnus.com:
> Beginning of new ssh log by: XXXXXXXXX
> Wed Sep  8 05:26:01 PDT 1999
> ============================
> HOST: cvs.cygnus.co.uk
> User name: XXXXXXXX
> 
> -----End of forwarded message-----
>