Re: [Devil-Linux-discuss] false accusations

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

I can confirm that it's not on any of my 1.2.10 systems.

There is no /shm/ssh* directory or file on my systems.

There is no executable file named "TODO" or "todo" on my CD or in RAM.

There is no executable file in my compiled source code tree named "TODO"
or "todo" on my build system.  (the only files named "todo/TODO" are
text-only documentation for some packages, and NOT executable)

There is no running process named "todo/TODO" on my 1.2.10 boxes.  
There are no processes running that I can't account for either.

The EnergyMech IRC bot (www.energymech.net) is not included in any
version of Devil-Linux.

The guy either got cracked somehow, or perhaps this is just FUD, since
the full-disclosure mailing list is unmoderated.

 - BS

> Victor Grishchenko <gritzko <at> plotinka.ru> writes:
> > While building and testing a customized version of DevilLinux router
> > distro I found an IRC bot onboard. As far as I understood, it was
> > EnergyMech compiled from source right there plus some executable named
> > "TODO" (for camouflage purposes). The stuff unfolds at /shm/sshd/ and
> > runs somehow. Sadly, I had no time for detailed investigation. It leaves
> > an overall impression of script kiddie's work.
> > Last days DevilLinux website seems to be dead.
> 
> I am the project leader of Devil-Linux.
> First of all our website is up and was not down at any time.
> 
> I don't know how this bot got on your system, but what you're writing does
> not make any sense.
> 1. There's no bot included in the DL sources
> 2. I can never have been compiled on a running DL system, because there
> are no compilers included.
> 3. It can only have been introduced (compiled from source as you say) if
> the machine you compiled DL on, was compromised.
> 4. The location you specify (/shm) is a ramdisk. So it must be copied onto
> the system after it boots up. This can only be the case if you have the
> system wide open and somebody can log in easily.
> 5. I verified the official 1.2.10 release and there's no bot to be seen.
> 
> So it seems the problem does not like with Devil-Linux, but rather with
> your own system.
> Please stop spreading accusations like this, especially without properly
> analyzing the issue first.
> 
> Regards
>   Heiko Zuerker
>   http://www.devil-linux.org