Bugtraq mailing list archives

Re: CERT Advisory - wuarchive ftpd Trojan Horse

From: jkb () mrc-lmb cam ac uk (Bonfield James)
Date: Mon, 11 Apr 94 8:58:51 EDT


Alastair Young wrote:

I wish CERT would have posted more details though.
like how the trojan worked or where it was or what sites
contained copy of it.  how do i know the newest version
2.3 has no already been modified?


Check your source for the string '"NULL"' ie the word NULL in double quotes.
We have an older version (2.1a) which appears to be clean.


Whilst I haven't checked this, I seem to remember hearing that the bug was to
allow ftp to root. In this case hopefully many sites would have been protected
by /etc/ftpusers.

I strongly suggest adding root (and other privilaged accounts) to this file if
you do not honestly need ftp access to them. This is of course true regardless
of whether or not this would have prevented the recent wuftpd attacks.

        James

--
James Bonfield (jkb () mrc-lmb cam ac uk)   Tel: 0223 402499   Fax: 0223 412282
Medical Research Council - Laboratory of Molecular Biology,
Hills Road, Cambridge, CB2 2QH, England.

Current thread:

Re: CERT Advisory - wuarchive ftpd Trojan Horse Alastair Young (Apr 06)
- Re: CERT Advisory - wuarchive ftpd Trojan Horse Bonfield James (Apr 11)
- <Possible follow-ups>
- Re: CERT Advisory - wuarchive ftpd Trojan Horse Pat Myrto (Apr 19)
  - Re: IETF Dave Fetrow (Apr 19)
    - Re: IETF Brad Passwaters (Apr 19)
    - Summary of NFS Quest Responses Pat Myrto (Apr 20)
    - UnixWare Carl Corey (Apr 25)
    - Re: UnixWare Perry E. Metzger (Apr 26)
    - Re: UnixWare Marc W. Mengel (Apr 26)