Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: netmask (netmask_at_enZotech.net)
Date: Tue Oct 08 2002 - 19:55:02 CDT
I contaced Eli Klein <elijahfirstlink.com> earlier today regarding this.
It would appear he was unaware (Or says this) that his server was
used in this attack (He runs spatula.aclue.com, the server that was
used in the back door).
I was kind of amazed CERT or Sendmail or anyone for that matter hadn't tried
to contact him. It would be apparent that the interest in actually figuring
out who hacked Sendmail's ftp site, is little to none. Unless of course they
were just assuming someone was trying to frame Mr. Klein :P
Anyhow, I have made the backdoor'd sendmail code available at
http://www.enzotech.net/files/sm.backdoor.patch and the base64
portion is decoded at http://www.enzotech.net/files/sm.backdoor.base64.txt
The service running on spatula.aclue.com on port 6667 has since been shut
down, but apparentely not by the Administrator.
It would be nice if Sendmail could provide stats on how many people were
affected, and if the maintainer of that box can provide proper forensics to
determine what activity went on.
netmask of enZo
> Dave Ahmad (dasecurityfocus.com) composed today:
> David Mirza Ahmad
> KeyID: 0x26005712
> Fingerprint: 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12