Risks
Advisories
Browse
or
or
CERT Advisory CA-2002-28 -Trojan Horse Sendmail Distribution
-----BEGIN PGP SIGNED MESSAGE----- 


CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution 


   Original release date: October 08, 2002 
   Last revised: -- 
   Source: CERT/CC 


   A complete revision history is at the end of this file. 


Overview 


   The CERT/CC has received confirmation that some copies of the source 
   code for the Sendmail package were modified by an intruder to contain 
   a Trojan horse. 


   Sites that employ, redistribute, or mirror the Sendmail package should 
   immediately verify the integrity of their distribution. 


I. Description 


   The CERT/CC has received confirmation that some copies of the source 
   code for the Sendmail package have been modified by an intruder to 
   contain a Trojan horse. 


   The following files were modified to include the malicious code: 


     sendmail.8.12.6.tar.Z 
     sendmail.8.12.6.tar.gz 


   These files began to appear in downloads from the FTP server 
   ftp.sendmail.org on or around September 28, 2002. The Sendmail 
   development team disabled the compromised FTP server on October 6, 
   2002 at approximately 22:15 PDT. It does not appear that copies 
   downloaded via HTTP contained the Trojan horse; however, the CERT/CC 
   encourages users who may have downloaded the source code via HTTP 
   during this time period to take the steps outlined in the Solution 
   section as a precautionary measure. 


   The Trojan horse versions of Sendmail contain malicious code that is 
   run during the process of building the software. This code forks a 
   process that connects to a fixed remote server on 6667/tcp. This 
   forked process allows the intruder to open a shell running in the 
   context of the user who built the Sendmail software. There is no 
   evidence that the process is persistent after a reboot of the 
   compromised system. However, a subsequent build of the Trojan horse 
   Sendmail package will re-establish the backdoor process. 


II. Impact 


   An intruder operating from the remote address specified in the 
   malicious code can gain unauthorized remote access to any host that 
   compiled a version of Sendmail from this Trojan horse version of the 
   source code. The level of access would be that of the user who 
   compiled the source code. 


   It is important to understand that the compromise is to the system 
   that is used to build the Sendmail software and not to the systems 
   that run the Sendmail daemon. Because the compromised system creates a 
   tunnel to the intruder-controlled system, the intruder may have a path 
   through network access controls. 


III. Solution 


Obtain an authentic version Sendmail 


   The primary distribution site for Sendmail is 


          http://www.sendmail.org/ 


   Sites that mirror the Sendmail source code are encouraged to verify 
   the integrity of their sources. 


Verify software authenticity 


   We strongly encourage sites that recently downloaded a copy of the 
   Sendmail distribution to verify the authenticity of their 
   distribution, regardless of where it was obtained. Furthermore, we 
   encourage users to inspect any and all software that may have been 
   downloaded from the compromised site. Note that it is not sufficient 
   to rely on the timestamps or sizes of the file when trying to 
   determine whether or not you have a copy of the Trojan horse version. 


Verify PGP signatures 


   The Sendmail source distribution is cryptographically signed with the 
   following PGP key: 


     pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002 
     <sendmail@Sendmail.ORG> 
     Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45 


   The Trojan horse copy did not include an updated PGP signature, so 
   attempts to verify its integrity would have failed. The sendmail.org 
   staff has verified that the Trojan horse copies did indeed fail PGP 
   signature checks. 


Verify MD5 checksums 


   In the absence of PGP, you can use the following MD5 checksums to 
   verify the integrity of your Sendmail source code distribution: 
   Correct versions: 


     73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz 
     cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z 
     8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig 


   As a matter of good security practice, the CERT/CC encourages users to 
   verify, whenever possible, the integrity of downloaded software. For 
   more information, see 


          http://www.cert.org/incident_notes/IN-2001-06.html 


Employ egress filtering 


   Egress filtering manages the flow of traffic as it leaves a network 
   under your administrative control. 


   In the case of the Trojan horse Sendmail distribution, employing 
   egress filtering can help prevent systems on your network from 
   connecting to the remote intruder-controlled system. Blocking outbound 
   TCP connections to port 6667 from your network reduces the risk of 
   internal compromised machines communicating with the remote system. 


Build software as an unprivileged user 


   Sites are encouraged to build software from source code as an 
   unprivileged, non-root user on the system. This can lessen the 
   immediate impact of Trojan horse software. Compiling software that 
   contains Trojan horses as the root user results in a compromise that 
   is much more difficult to reliably recover from than if the Trojan 
   horse is executed as a normal, unprivileged user on the system. 


Recovering from a system compromise 


   If you believe a system under your administrative control has been 
   compromised, please follow the steps outlined in 


          Steps for Recovering from a UNIX or NT System Compromise 


Reporting 


   The CERT/CC is interested in receiving reports of this activity. If 
   machines under your administrative control are compromised, please 
   send mail to cert@cert.org with the following text included in the 
   subject line: "[CERT#33376]". 


Appendix A. - Vendor Information 


   This appendix contains information provided by vendors for this 
   advisory. As vendors report new information to the CERT/CC, we will 
   update this section and note the changes in our revision history. If a 
   particular vendor is not listed below, we have not received their 
   comments. 
     _________________________________________________________________ 


   The CERT Coordination Center thanks the staff at the Sendmail 
   Consortium for bringing this issue to our attention. 
     _________________________________________________________________ 


   Feedback can be directed to the authors: Chad Dougherty, Marty 
   Lindner. 
   ______________________________________________________________________ 


   This document is available from: 
   http://www.cert.org/advisories/CA-2002-28.html 
   ______________________________________________________________________ 


CERT/CC Contact Information 


   Email: cert@cert.org 
          Phone: +1 412-268-7090 (24-hour hotline) 
          Fax: +1 412-268-6989 
          Postal address: 
          CERT Coordination Center 
          Software Engineering Institute 
          Carnegie Mellon University 
          Pittsburgh PA 15213-3890 
          U.S.A. 


   CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / 
   EDT(GMT-4) Monday through Friday; they are on call for emergencies 
   during other hours, on U.S. holidays, and on weekends. 


Using encryption 


   We strongly urge you to encrypt sensitive information sent by email. 
   Our public PGP key is available from 
   http://www.cert.org/CERT_PGP.key 


   If you prefer to use DES, please call the CERT hotline for more 
   information. 


Getting security information 


   CERT publications and other security information are available from 
   our web site 
   http://www.cert.org/ 


   To subscribe to the CERT mailing list for advisories and bulletins, 
   send email to majordomo@cert.org. Please include in the body of your 
   message 


   subscribe cert-advisory 


   * "CERT" and "CERT Coordination Center" are registered in the U.S. 
   Patent and Trademark Office. 
   ______________________________________________________________________ 


   NO WARRANTY 
   Any material furnished by Carnegie Mellon University and the Software 
   Engineering Institute is furnished on an "as is" basis. Carnegie 
   Mellon University makes no warranties of any kind, either expressed or 
   implied as to any matter including, but not limited to, warranty of 
   fitness for a particular purpose or merchantability, exclusivity or 
   results obtained from use of the material. Carnegie Mellon University 
   does not make any warranty of any kind with respect to freedom from 
   patent, trademark, or copyright infringement. 
     _________________________________________________________________ 


   Conditions for use, disclaimers, and sponsorship information 


   Copyright 2002 Carnegie Mellon University. 


   Revision History 
October 08, 2002: Initial release 


-----BEGIN PGP SIGNATURE----- 
Version: PGP 6.5.8 


iQCVAwUBPaNCtmjtSoHZUTs5AQHXrgQA2CkSFrIQxV9dLy07J0ezZgT2RrfCDpXY 
lPO0HhPe4kcbw4AMXs5LAjhA7DoW32PjAytRWOCNMu1FFDbl3eohf7OP2ZjtgYnD 
kwpfjPKVejJDD1BX2O/+jb1rlUKOm2tIt7NK+w8HKOKUYZal/x3RI3AxnAAGLv8A 
/DNWpyNYsGg= 
=fL1h 
-----END PGP SIGNATURE----- 




Spotlight

Biggest ever cyber security exercise in Europe is underway

Posted on 30 October 2014.  |  More than 200 organisations and 400 cyber-security professionals from 29 European countries are testing their readiness to counter cyber-attacks in a day-long simulation, organised by the European Network and Information Security Agency (ENISA).


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Thu, Oct 30th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //