README for trojan.pl Created by Bruce Barnett 1994. Trojan.pl is a trojan horse checking program. It examines your searchpath and looks at all of the executables in your searchpath, looking for people who can create a trojan hource you can execute. usage: perl trojan.pl See the script for more informations on the various options. For those who ask: The difference between COPS and trojan.pl is this: 1) COPS is typically run by root. Trojan.pl should be executed by anyone who wants to protect their own account. A trojan horse will often be created by someone who isn't root, to either gain access to root, or to gain access to someone who can gain access to root. If I can create a trojan horse that can break into a staff account, I might be able to create a trojan to break into a root account. Therefore all system administrators should run trojan.pl from their own account. Why bother to have a secure root account, when the system administration accounts are wide open? 2) trojan.pl only checks searchpaths, as they exist at the time of execution. I have several searchpaths, and they change during the day. You want to check the searchpath during "normal" conditions. Therefore you don't want to check searchpaths in a cron job, but in a window running a shell. 3) Trojan.pl checks symbolic (soft) links. If you have the the directory /usr/local/bin in your searchpath, and the file /usr/local/bin/abc is linked to /local/bin/abc which is linked to /elsewhere/bin/abc trojan.pl checks the following directories: / /usr /usr/local /usr/local/bin /local/bin /local /elsewhere/bin /elsewhere Any of those directories might be group or world writable. Or the owner may not be root. Trojan.pl tells you who can drop a trojan in front of you and how. Symbolic links can be very messy to check into, and I don't know of any other program that does this check. and 4) trojan.pl gives you a numerical score of how good a job you are doing. Hopefully you can improve your score. Revision History: 1.0 Sent to some individuals 1.3 Submitted to bugtraq mailing list 1.4 bug fix suggested by John P. Rouillard 1.5 added -A option by request of Dave Sill 1.7 submitted to comp.unix.security and Firewalls 1.8 added a more robust testing mechanism for resolve problems 1.9 added a check for directories that end with "/", thanks to Chris Rouch 1.10 minor editing - no new bugs fixed/features added 1.13 tweaks for portability TODO Lists executables in directories, but doesn't list symbolic links. I have a directory that has all links.