-----Forwarded Message----- > From: CERT Advisory <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution > Date: 08 Oct 2002 17:50:52 -0400 > > > > -----BEGIN PGP SIGNED MESSAGE----- > > CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution > > Original release date: October 08, 2002 > Last revised: -- > Source: CERT/CC > > A complete revision history is at the end of this file. > > Overview > > The CERT/CC has received confirmation that some copies of the source > code for the Sendmail package were modified by an intruder to contain > a Trojan horse. > > Sites that employ, redistribute, or mirror the Sendmail package should > immediately verify the integrity of their distribution. > > I. Description > > The CERT/CC has received confirmation that some copies of the source > code for the Sendmail package have been modified by an intruder to > contain a Trojan horse. > > The following files were modified to include the malicious code: > > sendmail.8.12.6.tar.Z > sendmail.8.12.6.tar.gz > > These files began to appear in downloads from the FTP server > ftp.sendmail.org on or around September 28, 2002. The Sendmail > development team disabled the compromised FTP server on October 6, > 2002 at approximately 22:15 PDT. It does not appear that copies > downloaded via HTTP contained the Trojan horse; however, the CERT/CC > encourages users who may have downloaded the source code via HTTP > during this time period to take the steps outlined in the Solution > section as a precautionary measure. > > The Trojan horse versions of Sendmail contain malicious code that is > run during the process of building the software. This code forks a > process that connects to a fixed remote server on 6667/tcp. This > forked process allows the intruder to open a shell running in the > context of the user who built the Sendmail software. There is no > evidence that the process is persistent after a reboot of the > compromised system. However, a subsequent build of the Trojan horse > Sendmail package will re-establish the backdoor process. > > II. Impact > > An intruder operating from the remote address specified in the > malicious code can gain unauthorized remote access to any host that > compiled a version of Sendmail from this Trojan horse version of the > source code. The level of access would be that of the user who > compiled the source code. > > It is important to understand that the compromise is to the system > that is used to build the Sendmail software and not to the systems > that run the Sendmail daemon. Because the compromised system creates a > tunnel to the intruder-controlled system, the intruder may have a path > through network access controls. > > III. Solution > > Obtain an authentic version Sendmail > > The primary distribution site for Sendmail is > > http://www.sendmail.org/ > > Sites that mirror the Sendmail source code are encouraged to verify > the integrity of their sources. > > Verify software authenticity > > We strongly encourage sites that recently downloaded a copy of the > Sendmail distribution to verify the authenticity of their > distribution, regardless of where it was obtained. Furthermore, we > encourage users to inspect any and all software that may have been > downloaded from the compromised site. Note that it is not sufficient > to rely on the timestamps or sizes of the file when trying to > determine whether or not you have a copy of the Trojan horse version. > > Verify PGP signatures > > The Sendmail source distribution is cryptographically signed with the > following PGP key: > > pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002 > <[EMAIL PROTECTED]> > Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45 > > The Trojan horse copy did not include an updated PGP signature, so > attempts to verify its integrity would have failed. The sendmail.org > staff has verified that the Trojan horse copies did indeed fail PGP > signature checks. > > Verify MD5 checksums > > In the absence of PGP, you can use the following MD5 checksums to > verify the integrity of your Sendmail source code distribution: > Correct versions: > > 73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz > cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z > 8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig > > As a matter of good security practice, the CERT/CC encourages users to > verify, whenever possible, the integrity of downloaded software. For > more information, see > > http://www.cert.org/incident_notes/IN-2001-06.html > > Employ egress filtering > > Egress filtering manages the flow of traffic as it leaves a network > under your administrative control. > > In the case of the Trojan horse Sendmail distribution, employing > egress filtering can help prevent systems on your network from > connecting to the remote intruder-controlled system. Blocking outbound > TCP connections to port 6667 from your network reduces the risk of > internal compromised machines communicating with the remote system. > > Build software as an unprivileged user > > Sites are encouraged to build software from source code as an > unprivileged, non-root user on the system. This can lessen the > immediate impact of Trojan horse software. Compiling software that > contains Trojan horses as the root user results in a compromise that > is much more difficult to reliably recover from than if the Trojan > horse is executed as a normal, unprivileged user on the system. > > Recovering from a system compromise > > If you believe a system under your administrative control has been > compromised, please follow the steps outlined in > > Steps for Recovering from a UNIX or NT System Compromise > > Reporting > > The CERT/CC is interested in receiving reports of this activity. If > machines under your administrative control are compromised, please > send mail to [EMAIL PROTECTED] with the following text included in the > subject line: "[CERT#33376]". > > Appendix A. - Vendor Information > > This appendix contains information provided by vendors for this > advisory. As vendors report new information to the CERT/CC, we will > update this section and note the changes in our revision history. If a > particular vendor is not listed below, we have not received their > comments. > _________________________________________________________________ > > The CERT Coordination Center thanks the staff at the Sendmail > Consortium for bringing this issue to our attention. > _________________________________________________________________ > > Feedback can be directed to the authors: Chad Dougherty, Marty > Lindner. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2002-28.html > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: [EMAIL PROTECTED] > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / > EDT(GMT-4) Monday through Friday; they are on call for emergencies > during other hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site > http://www.cert.org/ > > To subscribe to the CERT mailing list for advisories and bulletins, > send email to [EMAIL PROTECTED] Please include in the body of your > message > > subscribe cert-advisory > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2002 Carnegie Mellon University. > > Revision History > October 08, 2002: Initial release > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > > iQCVAwUBPaNCtmjtSoHZUTs5AQHXrgQA2CkSFrIQxV9dLy07J0ezZgT2RrfCDpXY > lPO0HhPe4kcbw4AMXs5LAjhA7DoW32PjAytRWOCNMu1FFDbl3eohf7OP2ZjtgYnD > kwpfjPKVejJDD1BX2O/+jb1rlUKOm2tIt7NK+w8HKOKUYZal/x3RI3AxnAAGLv8A > /DNWpyNYsGg= > =fL1h > -----END PGP SIGNATURE----- -- Shannon Roddy __________________________________________________________________ Systems Administrator California Institute of Technology [EMAIL PROTECTED] LIGO Livingston Observatory ph: (225)686-3106 19100 LIGO Lane fx: (225)686-7189 Livingston, LA 70754 Web Page http://www.ligo-la.caltech.edu/~sroddy Calendar/Schedule See Home Page Wireless Email (255 Chars) [EMAIL PROTECTED]
