linux-l: Trojan Horse in util-linux

Volker Kroll vkroll at
Sa Feb 6 09:45:12 CET 1999


ich weiss nicht wie viele von Euch CERT Advisorys lesen. Hier ein Auszug,
der das "einzig wahre OS" betrifft:

Trojan Horse Version of util-linux

  The util-linux distribution includes several essential utilities for
  linux systems. We have confirmed with the authors of util-linux that a
  Trojan horse was placed in the file util-linux-2.9g.tar.gz on at least
  one ftp server between January 22, 1999, and January 24, 1999. This
  Trojan horse could have been distributed to mirror FTP sites.

  Within the Trojan horse util-linux distribution the program /bin/login
  was modified. The modifications included code to send email to an
  intruder that contains the host name and uid of users logging in. The
  code was also modified to provide anyone with access to a login prompt
  the capability of executing commands based on their input at the login
  prompt. There were no other functional modifications made to to the
  Trojan horse util-linux distribution that we are aware of.

  A quick check to ensure you do not have the Trojan horse installed is
  to execute the following command

    $ strings /bin/login | grep "HELO"

  If that command returns the following output, then your machine has
  the Trojan horse version of util-linux-2.9g installed.


  If the above command returns nothing, then you do not have this
  particular Trojan horse installed.

  You cannot rely on the modification date of the file
  util-linux-2.9g.tar.gz because the Trojan horse version has the same
  size and time stamp as the original version.

  In response to the distribution of this Trojan horse, the authors of
  util-linux have released util-linux-2.9h.tar.gz. This file is
  available via anonymous ftp from:

  Be sure to download and verify the PGP signature as well:

  This package can be verified with the "Linux Kernel Archives" PGP
  Public Key, available from the following URL:

* Volker Kroll (Berlin, Germany)                                     *
* Webdesigner, Musiker                                               *
* vkroll at *

Mehr Informationen über die Mailingliste linux-l