Amazing how the real world can respond quickly to an issue. And = Microsoft wants to standardize on 30 days. Joe -----Original Message----- From: Jim Kenzig http://thethin.net [mailto:jimkenz@xxxxxxxxxxxxxx] Sent: Tuesday, October 08, 2002 5:02 PM To: thin@xxxxxxxxxxxxx; windows2000@xxxxxxxxxxxxx Subject: [windows2000] FW: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution I know that this is Linux /Unix related but just the same Take Heed! JK -----Original Message----- From: CERT Advisory [mailto:cert-advisory@xxxxxxxx] Sent: Tuesday, October 08, 2002 5:40 PM To: cert-advisory@xxxxxxxx Subject: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution Original release date: October 08, 2002 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Overview The CERT/CC has received confirmation that some copies of the = source code for the Sendmail package were modified by an intruder to = contain a Trojan horse. Sites that employ, redistribute, or mirror the Sendmail package = should immediately verify the integrity of their distribution. I. Description The CERT/CC has received confirmation that some copies of the = source code for the Sendmail package have been modified by an intruder = to contain a Trojan horse. The following files were modified to include the malicious code: sendmail.8.12.6.tar.Z sendmail.8.12.6.tar.gz These files began to appear in downloads from the FTP = server ftp.sendmail.org on or around September 28, 2002. The = Sendmail development team disabled the compromised FTP server on October = 6, 2002 at approximately 22:15 PDT. It does not appear that = copies downloaded via HTTP contained the Trojan horse; however, the = CERT/CC encourages users who may have downloaded the source code via = HTTP during this time period to take the steps outlined in the = Solution section as a precautionary measure. The Trojan horse versions of Sendmail contain malicious code that = is run during the process of building the software. This code forks = a process that connects to a fixed remote server on 6667/tcp. = This forked process allows the intruder to open a shell running in = the context of the user who built the Sendmail software. There is = no evidence that the process is persistent after a reboot of = the compromised system. However, a subsequent build of the Trojan = horse Sendmail package will re-establish the backdoor process. II. Impact An intruder operating from the remote address specified in = the malicious code can gain unauthorized remote access to any host = that compiled a version of Sendmail from this Trojan horse version of = the source code. The level of access would be that of the user = who compiled the source code. It is important to understand that the compromise is to the = system that is used to build the Sendmail software and not to the = systems that run the Sendmail daemon. Because the compromised system creates = a tunnel to the intruder-controlled system, the intruder may have a = path through network access controls. III. Solution Obtain an authentic version Sendmail The primary distribution site for Sendmail is http://www.sendmail.org/ Sites that mirror the Sendmail source code are encouraged to = verify the integrity of their sources. Verify software authenticity We strongly encourage sites that recently downloaded a copy of = the Sendmail distribution to verify the authenticity of = their distribution, regardless of where it was obtained. Furthermore, = we encourage users to inspect any and all software that may have = been downloaded from the compromised site. Note that it is not = sufficient to rely on the timestamps or sizes of the file when trying = to determine whether or not you have a copy of the Trojan horse version. Verify PGP signatures The Sendmail source distribution is cryptographically signed with = the following PGP key: pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002 <sendmail@xxxxxxxxxxxx> Key fingerprint =3D 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45 The Trojan horse copy did not include an updated PGP signature, = so attempts to verify its integrity would have failed. The = sendmail.org staff has verified that the Trojan horse copies did indeed fail = PGP signature checks. Verify MD5 checksums In the absence of PGP, you can use the following MD5 checksums = to verify the integrity of your Sendmail source code distribution: Correct versions: 73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z 8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig As a matter of good security practice, the CERT/CC encourages users = to verify, whenever possible, the integrity of downloaded software. = For more information, see http://www.cert.org/incident_notes/IN-2001-06.html Employ egress filtering Egress filtering manages the flow of traffic as it leaves a = network under your administrative control. In the case of the Trojan horse Sendmail distribution, = employing egress filtering can help prevent systems on your network = from connecting to the remote intruder-controlled system. Blocking = outbound TCP connections to port 6667 from your network reduces the risk = of internal compromised machines communicating with the remote system. Build software as an unprivileged user Sites are encouraged to build software from source code as = an unprivileged, non-root user on the system. This can lessen = the immediate impact of Trojan horse software. Compiling software = that contains Trojan horses as the root user results in a compromise = that is much more difficult to reliably recover from than if the = Trojan horse is executed as a normal, unprivileged user on the system. Recovering from a system compromise If you believe a system under your administrative control has = been compromised, please follow the steps outlined in Steps for Recovering from a UNIX or NT System Compromise Reporting The CERT/CC is interested in receiving reports of this activity. = If machines under your administrative control are compromised, = please send mail to cert@xxxxxxxx with the following text included in = the subject line: "[CERT#33376]". Appendix A. - Vendor Information This appendix contains information provided by vendors for = this advisory. As vendors report new information to the CERT/CC, we = will update this section and note the changes in our revision history. If = a particular vendor is not listed below, we have not received = their comments. _________________________________________________________________ The CERT Coordination Center thanks the staff at the = Sendmail Consortium for bringing this issue to our attention. _________________________________________________________________ Feedback can be directed to the authors: Chad Dougherty, = Marty Lindner. = ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-28.html = ______________________________________________________________________ CERT/CC Contact Information Email: cert@xxxxxxxx Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) = / EDT(GMT-4) Monday through Friday; they are on call for = emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by = email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for = more information. Getting security information CERT publications and other security information are available = from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and = bulletins, send email to majordomo@xxxxxxxxx Please include in the body of = your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the = U.S. Patent and Trademark Office. = ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the = Software Engineering Institute is furnished on an "as is" basis. = Carnegie Mellon University makes no warranties of any kind, either expressed = or implied as to any matter including, but not limited to, warranty = of fitness for a particular purpose or merchantability, exclusivity = or results obtained from use of the material. Carnegie Mellon = University does not make any warranty of any kind with respect to freedom = from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History October 08, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPaNCtmjtSoHZUTs5AQHXrgQA2CkSFrIQxV9dLy07J0ezZgT2RrfCDpXY lPO0HhPe4kcbw4AMXs5LAjhA7DoW32PjAytRWOCNMu1FFDbl3eohf7OP2ZjtgYnD kwpfjPKVejJDD1BX2O/+jb1rlUKOm2tIt7NK+w8HKOKUYZal/x3RI3AxnAAGLv8A /DNWpyNYsGg=3D =3DfL1h -----END PGP SIGNATURE----- =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm ================================== To Unsubscribe, set digest or vacation mode or view archives use the below link. http://thethin.net/win2000list.cfm