October 9th, 2002, 09:17 AM
Heads up: trojan in Sendmail distribution
Again, a programs distribution-file has been trojanned. This time, sendmail 8.12.6 is the victim. It appears that files downloaded from ftp.sendmail.org, starting on september 28th, 2002, have been infected by a trojan. The server has been taken offline october 28th.
These kind of attacks seem to increase steadily. I remember reporting trojanned distributions a couple of times, last few months. How can this be stopped?
Notice on sendmail.org
If you download the sendmail distribution you MUST verify the PGP signature. Do NOT use sendmail without verifying the integrity of the source code.
(part of) CERTŪ Advisory CA-2002-28 Trojan Horse Sendmail Distribution
The CERT/CC has received confirmation that some copies of the source code for the Sendmail package have been modified by an intruder to contain a Trojan horse.
The following files were modified to include the malicious code:
These files began to appear in downloads from the FTP server ftp.sendmail.org on or around September 28, 2002. The Sendmail development team disabled the compromised FTP server on October 6, 2002 at approximately 22:15 PDT. It does not appear that copies downloaded via HTTP contained the Trojan horse; however, the CERT/CC encourages users who may have downloaded the source code via HTTP during this time period to take the steps outlined in the Solution section as a precautionary measure.
The Trojan horse versions of Sendmail contain malicious code that is run during the process of building the software. This code forks a process that connects to a fixed remote server on 6667/tcp. This forked process allows the intruder to open a shell running in the context of the user who built the Sendmail software. There is no evidence that the process is persistent after a reboot of the compromised system. However, a subsequent build of the Trojan horse Sendmail package will re-establish the backdoor process.
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
October 9th, 2002, 12:55 PM
And again sendmail becomes sendworms..
thx for the warning..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
October 10th, 2002, 03:28 AM
Wow, I just came accross this too just 5 minutes ago. Scared me for a second because I just downloaded and installed sendmail a few days ago, but luckily my md5 checksum checks out just fine- teaches me I should not be so freakin lazy and check the things in the first place.
Thanks for the heads up.