[VIM] Questions on Etomite back door

Steven M. Christey coley at mitre.org
Fri Jan 20 15:19:19 EST 2006 

Naturally right after clicking "send" I saw this.  Looks like the code
was added by an earlier developer or something.

Interestingly 'cijfer at netti.fi', the alleged email address that the
info was sent to, is also a researcher for various vulns.

  http://www.etomite.org/forums/index.php?showtopic=4185

  ".. The primary reason behind the suspension is due to the amount of
  exploit warnings that both Dean and myself have been receiving
  recently... I will attempt to explain the theory, to the best of my
  understanding, behind the suspicious code...

  For those of you who have been around since the early days,
  pre-0.6.1, when Alex was still running the project, I'm sure you can
  remember all of the debates regarding pirated copies and
  unauthorized rebranding which was, and still is, running rampant
  across the internet... From what I have surmised... at some point
  Alex made attempts to track such activities by adding several lines
  of encrypted code in the 0.6 release... The code was not malicious
  in nature, however... One of the pieces of code, todo.inc.php,
  merely sends an email to what may now be an inactive email address
  which reported the ip address of the server running the
  script... This ip address was, most likely, used in an effort to
  determine whether the code was legitimate Etomite code and not an
  illegally rebranded copy of the code into which Alex had invested so
  much time and effort... What he may have done with this information
  is speculative...

  For this very reason, as well as possible implications with Etomite
  being implemented in certain secure environments, every effort has
  and continues to be made to insure that any such code is removed
  from the Etomite 0.6.1 release tree... The downside is that, because
  the Etomite 0.6 Final code base was entirely developed by Alex, that
  code will not be modified... In addition, no attempts will be made
  to track down and circumvent any such code that exists in that
  release... Anyone who has further concerns should seriously consider
  upgrading to Etomite 0.6.1-RTM or wait for 0.6.1-Final...



- Steve

More information about the VIM mailing list