linux-l: Trojan Horse in util-linux
Volker Kroll
vkroll at i-m-r-k.com
Sa Feb 6 09:45:12 CET 1999
Hi,
ich weiss nicht wie viele von Euch CERT Advisorys lesen. Hier ein Auszug,
der das "einzig wahre OS" betrifft:
--------
Trojan Horse Version of util-linux
The util-linux distribution includes several essential utilities for
linux systems. We have confirmed with the authors of util-linux that a
Trojan horse was placed in the file util-linux-2.9g.tar.gz on at least
one ftp server between January 22, 1999, and January 24, 1999. This
Trojan horse could have been distributed to mirror FTP sites.
Within the Trojan horse util-linux distribution the program /bin/login
was modified. The modifications included code to send email to an
intruder that contains the host name and uid of users logging in. The
code was also modified to provide anyone with access to a login prompt
the capability of executing commands based on their input at the login
prompt. There were no other functional modifications made to to the
Trojan horse util-linux distribution that we are aware of.
A quick check to ensure you do not have the Trojan horse installed is
to execute the following command
$ strings /bin/login | grep "HELO"
If that command returns the following output, then your machine has
the Trojan horse version of util-linux-2.9g installed.
HELO 127.0.0.1
If the above command returns nothing, then you do not have this
particular Trojan horse installed.
You cannot rely on the modification date of the file
util-linux-2.9g.tar.gz because the Trojan horse version has the same
size and time stamp as the original version.
In response to the distribution of this Trojan horse, the authors of
util-linux have released util-linux-2.9h.tar.gz. This file is
available via anonymous ftp from:
ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/util-linux-2.9h.tar
.gz
Be sure to download and verify the PGP signature as well:
ftp://ftp.win.tue.nl/pub/linux/utils/util-linux/util-linux-2.9h.tar
.gz.sign
This package can be verified with the "Linux Kernel Archives" PGP
Public Key, available from the following URL:
http://www.kernel.org/signature.html
-------
HTH
Volker
--
**********************************************************************
* Volker Kroll (Berlin, Germany) *
* Webdesigner, Musiker *
* vkroll at i-m-r-k.com http://www.wiwiss.fu-berlin.de/~kroll/ *
**********************************************************************
Mehr Informationen über die Mailingliste linux-l