[plug] CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution (was: Advisory)

Tue, 08 Oct 2002 22:49:56 -0700 

On Wed, Oct 09, 2002 at 01:09:31AM -0500, [EMAIL PROTECTED] wrote:
> FYI: http://www.cert.org/advisories/CA-2002-28.html

Thanks Onie for sharing a link to an advisory. However, I encourage
everyone to do a little bit more next time. In particular this message
is just a link. It doesn't say anything about what the issue is about.
Let me expand things a little while we're at it, and in the hopes that
this can serve as a good example.

Subject: Trojan Horse Sendmail Distribution
CERT Release Date: October 08, 2002

Complete CERT advisory at:

    http://www.cert.org/advisories/CA-2002-28.html

Summary:

"The CERT/CC has received confirmation that some copies of the source
code for the Sendmail package have been modified by an intruder to
contain a Trojan horse.

"The following files were modified to include the malicious code:
sendmail.8.12.6.tar.Z sendmail.8.12.6.tar.gz

"These files began to appear in downloads from the FTP server
ftp.sendmail.org on or around September 28, 2002. The Sendmail
development team disabled the compromised FTP server on October 6, 2002
at approximately 22:15 PDT. It does not appear that copies downloaded
via HTTP contained the Trojan horse; however, the CERT/CC encourages
users who may have downloaded the source code via HTTP during this time
period to take the steps outlined in the Solution section as a
precautionary measure.

"The Trojan horse versions of Sendmail contain malicious code that is
run during the process of building the software. This code forks a
process that connects to a fixed remote server on 6667/tcp. This forked
process allows the intruder to open a shell running in the context of
the user who built the Sendmail software. There is no evidence that the
process is persistent after a reboot of the compromised system. However,
a subsequent build of the Trojan horse Sendmail package will
re-establish the backdoor process."

 --> Jijo

-- 
Federico Sevilla III   :  http://jijo.free.net.ph
Network Administrator  :  The Leather Collection, Inc.
GnuPG Key ID           :  0x93B746BE
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph

To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
[EMAIL PROTECTED]

Reply via email to