Press CTRL-D to bookmark us
Welcome Guest Login / Register / Members
Search in  
Top Submit newsSubscribe
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
 

 Sponsored links

Want to become one of our authors and see your work published on ALLSeek.iNFO ?
 
 Trojanized Sendmail distro circulated
Categorie: Vulnerability
Posted: 2002-10-10 by Gmtech
Views: 629
Source: Click here
 		Current Rating: Not rated
Poor Best
 Details
Oct 9 2002 5:32AM



An enterprising computer enthusiast has managed to insert a Trojan in the source code for a recent Sendmail distro and to substitute the malicious package for the real McCoy on the Sendmail.org FTP server.



The malicious files were available from 28 September 2002 until 6 October 2002. The affected files, with their correct checksums are:

73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz

cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z

8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig



According to a recent CERT advisory, it is believed that the Trojan is de-activated when the system is restarted. It is also believed that users who downloaded from the sendmail.org HTTP server are not affected. Files on all mirror FTP and HTTP servers should be presumed infected.



The Trojan is activated at build time and functions with the privileges of the user building it, and apparently connects to an IRC server. The malicious code "forks a process that connects to a fixed remote server on 6667/TCP. This forked process allows the intruder to open a shell running in the context of the user who built the Sendmail software," CERT says.



One quick and dirty workaround would be to re-boot the affected machine (if that's convenient) for a little breathing space while the damage is assessed and/or blocking egress to port 6667. The packages available now at Sendmail.org are clean, but verifying the checksums still isn't a bad idea. Not that it ever was. ®


 
 Links
Another article on this topic
 
Syndication
Permalink Email this

The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=9

User comments (post your comments here)

Only registerd members can post comments and articles
 
Previous articleBack to news listNext article
 


InterJOB.su
Bookmark us | Set As Homepage | Advertising | Contact Us | Recomend us | Link us | Links | Terms

SpyLOG Page Rank Checker
LAST QUERIES