Bugtraq mailing list archives
Re: CERT Advisory - wuarchive ftpd Trojan Horse
From: jkb () mrc-lmb cam ac uk (Bonfield James)
Date: Mon, 11 Apr 94 8:58:51 EDT
Alastair Young wrote:
I wish CERT would have posted more details though. like how the trojan worked or where it was or what sites contained copy of it. how do i know the newest version 2.3 has no already been modified?Check your source for the string '"NULL"' ie the word NULL in double quotes. We have an older version (2.1a) which appears to be clean.
Whilst I haven't checked this, I seem to remember hearing that the bug was to allow ftp to root. In this case hopefully many sites would have been protected by /etc/ftpusers. I strongly suggest adding root (and other privilaged accounts) to this file if you do not honestly need ftp access to them. This is of course true regardless of whether or not this would have prevented the recent wuftpd attacks. James -- James Bonfield (jkb () mrc-lmb cam ac uk) Tel: 0223 402499 Fax: 0223 412282 Medical Research Council - Laboratory of Molecular Biology, Hills Road, Cambridge, CB2 2QH, England.
Current thread:
- Re: CERT Advisory - wuarchive ftpd Trojan Horse Alastair Young (Apr 06)
- Re: CERT Advisory - wuarchive ftpd Trojan Horse Bonfield James (Apr 11)
- <Possible follow-ups>
- Re: CERT Advisory - wuarchive ftpd Trojan Horse Pat Myrto (Apr 19)
- Re: IETF Dave Fetrow (Apr 19)
- Re: IETF Brad Passwaters (Apr 19)
- Summary of NFS Quest Responses Pat Myrto (Apr 20)
- UnixWare Carl Corey (Apr 25)
- Re: UnixWare Perry E. Metzger (Apr 26)
- Re: UnixWare Marc W. Mengel (Apr 26)
- Re: IETF Dave Fetrow (Apr 19)