>
Yikes. Here is something you might want to take fast action against.
I wish CERT would have posted more details though.
like how the trojan worked or where it was or what sites
contained copy of it. how do i know the newest version
2.3 has no already been modified?
> =============================================================================
> CA-94:07 CERT Advisory
> April 6, 1994
> wuarchive ftpd Trojan Horse
> -----------------------------------------------------------------------------
>
> The CERT Coordination Center has received confirmation that some copies
> of the source code for the wuarchive FTP daemon (ftpd) were modified by
> an intruder, and contain a Trojan horse.
>
> We strongly recommend that any site running the wuarchive ftpd take steps
> to immediately install version 2.3, or disable their FTP daemon.
>
> -----------------------------------------------------------------------------
>
> I. Description
>
> Some copies of the source code for versions 2.2 and 2.1f of the
> wuarchive ftpd were modified by an intruder, and contain a Trojan
> horse. If your FTP daemon was compiled from the intruder-modified
> source code, you are vulnerable.
>
> It is possible that previous versions of the source code for the server
> were modified in a similar manner.
>
> If you are running the wuarchive ftpd, but not providing anonymous FTP
> access, you are still vulnerable to this Trojan horse.
>
>
> II. Impact
>
> An intruder can gain root access on a host running an FTP daemon
> that contains this Trojan horse.
>
>
> III. Solution
>
> We strongly recommend that any site running the wuarchive ftpd (version
> 2.2 or earlier) take steps to immediately install version 2.3.
>
> If you cannot install the new version in a timely manner, you should
> disable FTP service. It is not sufficient to disable anonymous FTP.
> You must disable the FTP daemon.
>
> Sites can obtain version 2.3 via anonymous FTP from ftp.uu.net, in the
> "/networking/ftp/wuarchive-ftpd" directory. We recommend that you turn
> off your FTP server until you have installed the new version.
>
> Be certain to verify the checksum information to confirm that you have
> retrieved a valid copy.
>
> BSD SVR4
> File Checksum Checksum MD5 Digital Signature
> ----------------- -------- --------- --------------------------------
> wu-ftpd-2.3.tar.Z 24416 181 30488 361 e58adc5ce0b6eae34f3f2389e9dc9197
>
>
> ---------------------------------------------------------------------------
> The CERT Coordination Center wishes to thank Bryan O'Connor and Chris Myers
> of Washington University in St. Louis for their invaluable assistance in
> resolving this problem. CERT also gratefully acknowledges the help of
> Neil Woods and Karl Strickland.
> ---------------------------------------------------------------------------
>
> If you believe that your system has been compromised, contact the CERT
> Coordination Center or your representative in the Forum of Incident
> Response and Security Teams (FIRST).
>
> If you wish to send sensitive incident or vulnerability information to
> CERT via electronic mail, CERT strongly advises that the e-mail be encrypted.
> CERT can support a shared DES key, PGP (public key available via
> anonymous FTP on info.cert.org), or PEM (contact CERT for details).
>
> Internet E-mail: cert @
cert .
org
> Telephone: 412-268-7090 (24-hour hotline)
> CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
> and are on call for emergencies during other hours.
>
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh, PA 15213-3890
>
> Past advisories, information about FIRST representatives, and other
> information related to computer security are available via anonymous
> FTP from info.cert.org.
>
>
--
Christopher William Klaus Email: cklaus @
shadow .
net Author:Inet Sec. Scanner
2209 Summit Place Drive,Dunwoody, GA 30350-2430. (404)998-5871.
|
|
