From jra@news.IntNet.net Sun Apr 30 11:12:56 CDT 1995 Article: 100552 of alt.folklore.computers Xref: uchinews alt.folklore.computers:100552 alt.os.multics:2291 alt.sys.pdp10:573 comp.lang.lisp:14272 Path: uchinews!vixen.cso.uiuc.edu!howland.reston.ans.net!news.sprintlink.net!news.IntNet.net!news.IntNet.net!news-path From: jra@news.IntNet.net (Jay Ashworth) Newsgroups: alt.sys.pdp10,alt.folklore.computers,comp.lang.lisp,alt.os.multics Subject: The Thompson Login Trojan: The REAL Story Date: 30 Apr 1995 01:11:47 -0400 Organization: Intelligence Network Online, Inc. Lines: 84 Message-ID: <3nv66j$bi5@xcalibur.IntNet.net> References: <3mulpf$pte@xcalibur.IntNet.net> <3n0hac$j2s@crcnis3.unl.edu> NNTP-Posting-Host: xcalibur.intnet.net Keywords: horse, mouth Status: R fhoward@us.oracle.com (Forrest Howard) writes: >In article <3n0hac$j2s@crcnis3.unl.edu>, jhesse@herbie.unl.edu (jhesse) wrote: >> Peter da Silva (peter@bonkers.taronga.com) wrote: >> : In article , >> : Bill Dubuque wrote: >> : >"The actual bug I planted in the compiler would match code in >> : >the UNIX "login" command..." >> : I always heard he implemented it but didn't distribute it. >> What did "it" do? >Actually I think it was distributed. Ken talked about it at the 2nd? unix >users group meeting at columbia. In my faded recollection I believe he >said there was code in cpp that > >a) inserted code when compiling login.c (or was it init.c or gtty.c?) that > added code to recognize a particular username/password independent of > /etc/passwd. >b) reinserted the trojen horse when recompiling cpp.c Proving that the real Mrs. Robinson stood up. It occured to me last week that ken@research.att.com is _still_ a valid address, 25 years later... so I asked. Here, from Ken himself, is the Real Story: ) From ken@plan9.att.com Sun Apr 23 14:42 EDT 1995 ) Received: from plan9.att.com by IntNet.net (5.x/SMI-SVR4) ) id AA19375; Sun, 23 Apr 1995 14:42:51 -0400 ) Message-Id: <9504231842.AA19375@ IntNet.net> ) From: ken@plan9.att.com ) To: jra@IntNet.net ) Date: Sun, 23 Apr 1995 14:39:39 EDT ) Content-Type: text ) Content-Length: 928 ) Status: RO ) ) thanks for the info. i had not seen ) that newsgroup. after you pointed it ) out, i looked up the discussion. ) ) writing to news just causes more ) misunderstandings in the future. there ) is no way to win. [ note: I asked him if he minded my posting the reply, he had no objection ] ) fyi: the self reproducing cpp was ) installed on OUR machine and we ) enticed the "unix support group" ) (precursor to usl) to pick it up ) from us by advertising some ) non-backward compatible feature. ) that meant they had to get the ) binary and source since the source ) would not compile on their binaries. ) ) they installed it and in a month or ) so, the login command got the trojan ) hourse. later someone there noticed ) something funny in the symbol table ) of cpp and were digging into the ) object to find out what it was. at ) some point, they compiled -S and ) assembled the output. that broke ) the self-reproducer since it was ) disabled on -S. some months later ) the login trojan hourse also went ) away. ) ) the compiler was never released ) outside. ) ) ken Everyone: please save this post, so the next time the question comes up, you can just go look. :-) Cheers, -- jr 'will bug legends for food' a -- Jay R. Ashworth High Technology Systems Consulting Ashworth Designer Linux: The Choice of a GNU Generation & Associates ka1fjx/4 "I minored in babbling in college... and got +1 813 790 7592 jra@baylink.com honors in it." --Brian Heath NIC: jra3