[OS X TeX] OT: effective Macintosh Trojan in the wild

Bruno Voisin bvoisin at mac.com
Mon May 9 17:18:12 CEST 2005


Le 8 mai 05 à 20:41, Aaron Jackson a écrit :

> On May 8, 2005, at 1:58 PM, Bruno Voisin wrote:
>
>> The clamav user created by clamXav has shell /sbin/nologin (as  
>> revealed by NetInfo Manager), thus I assume this means this user  
>> can't login.
>
> Yes.  The shell nologin prints the contents of /private/etc/ 
> nologin.txt and then quits. Of course, this only happens if the  
> account has a valid password and the initial login interaction is  
> successful.
>
> As far as security is concerned, paranoia is a good thing.  So in  
> addition to not having a valid password other common things to do  
> is to make sure the shell is not valid and also there is no valid  
> home directory for the user.  Kinda like wearing a belt, suspenders  
> and another pair of pants to make sure your pants never fall down  
> unexpectedly, because you never want to be caught with your pants  
> down...

A new Archive & Install has revealed that there are indeed a clamav  
user and a clamav group in Tiger Client, with different  
characteristics from those installed by clamXav. According to NetInfo  
Manager:

- Group: name "clamav", realname "SPAM Assassin Group 1"

- User: name "clamav", realname "Clamav User", home /var/virusmails,  
shell /bin/tcsh

But there's no directory /var/virusmails.

Bruno Voisin

--------------------- Info ---------------------
Mac-TeX Website: http://www.esm.psu.edu/mac-tex/
           & FAQ: http://latex.yauh.de/faq/
TeX FAQ: http://www.tex.ac.uk/faq
List Post: <mailto:MacOSX-TeX at email.esm.psu.edu>





More information about the macostex-archives mailing list