Re: backdoor question

From: Mike Stilson (
Date: 10/28/02

On Mon, Oct 28, 2002 at 09:07:49PM -0800, Mythran wrote:
>> Just check this one carefully, as there are a lot of legitimate uses of
>> this in a mud, not stock, but I can think of uses.  So just carefully
>> check any calls to these VERY carefully.
>> >    Check for ipc/shared memory use:
>> >    egrep -i '(mmap|shm...|sem...|shmdt|msg...) *\(' *.[ch] |less
>> This would be an absolute giveaway.  There's, as far as I can think of
>> but might be wrong, absolutely no use for this in a mud.
>> >    Check for listeners/sockets other than the main port
>> >    egrep -i '(bind|listen|connect|sendmsg|recvmsg) *\(' *.[ch] |less
>> connect() would be an absolute giveaway, since a daemon shouldn't be
>> calling anyone (unless you have my metaserver patch, or I think the i3c
>> package connects() as well.)
>> >13. Check 'command_interpreter' of act.wizard.c
>> Also, check for anything that contains GET_ID/GET_IDNUM.  He could've
>> easily added something that checks for another imp's ID and runs some
>> command to either reinstate his char, randomly mess up someone's char,
>> or an endless list of other things.  This could possibly show up a LOT
>> of lines, and be tedious to check them, but it's still necessary so
>> check all of 'em.
>> -me
>And if you have absolutely no idea what the above says, reformat, reinstall,
>start from scratch, and there ya have it :P

Gee, and I thought I explained it real simply.
If it's his box, that's simple.  If it's hosted elsewhere then there's
problems.  He's worried about a coder putting backdoors in his mud.  I'm
thinking in terms of a good coder with malicious intent who could/would
want to root the box.


   | FAQ: |
   | Archives: |
   | Newbie List:   |

This archive was generated by hypermail 2b30 : 06/25/03 PDT