Slashdot Mirror
CERT: Sendmail Distribution Contained Trojan Horse
Scoria writes "According to a CERT advisory published this afternoon, the public distribution of Sendmail 8.12.6 contained a trojan horse from September 28 to October 6. For more detailed information, please consult advisory CA-2002-28." This sounds very much like what happened to OpenSSH.
As long as you could also get the source to the Trojan, as well... right?
Many eyes = better security but only when many > 0
At least we know that open source can have the same problems as closed, just caught faster!
...and that's why you should actually use those MD5 checksums, instead of unpacking and installing without thinking.
Its a sad day when Sendmail becomes the BitchX of email servers. Perhaps they'll merge with OpenSSH now?
C - A language that combines the speed of assembly with the ease of use of assembly.
PGP signing is a good way to prevent trojaned software like this case. But I think the process to verify the software is too complicated and not easy for all users to use. Let me ask you this, when is the last time you checked the hash or PGP signature after you download a software?
For most people, never.... It would be great if we have automatic download tools to check signature as well (obviously, we need standard for storing the signature as well)
How does this sort of thing happen? Don't the projects use some type of revision control so they can tell who checked things in? I hope no intruder is putting Trojan horses into my Verilog RTL at work! No patches for silicon.
If it's not one thing, it's Steve's Mother
Don't worry, there are no soldiers inside the Tojan horse.
CERT® Advisory CA-2002-28 Trojan Horse Sendmail Distribution
d 9d2137 sendmail.8.12.6.tar.Za fef34 sendmail.8.12.6.tar.sig
t ml
Original release date: October 08, 2002
Last revised: --
Source: CERT/CC
A complete revision history is at the end of this file.
Overview
The CERT/CC has received confirmation that some copies of the source code for the Sendmail package were modified by an intruder to contain a Trojan horse.
Sites that employ, redistribute, or mirror the Sendmail package should immediately verify the integrity of their distribution.
I. Description
The CERT/CC has received confirmation that some copies of the source code for the Sendmail package have been modified by an intruder to contain a Trojan horse.
The following files were modified to include the malicious code:
sendmail.8.12.6.tar.Z
sendmail.8.12.6.tar.gz
These files began to appear in downloads from the FTP server ftp.sendmail.org on or around September 28, 2002. The Sendmail development team disabled the compromised FTP server on October 6, 2002 at approximately 22:15 PDT. It does not appear that copies downloaded via HTTP contained the Trojan horse; however, the CERT/CC encourages users who may have downloaded the source code via HTTP during this time period to take the steps outlined in the Solution section as a precautionary measure.
The Trojan horse versions of Sendmail contain malicious code that is run during the process of building the software. This code forks a process that connects to a fixed remote server on 6667/tcp. This forked process allows the intruder to open a shell running in the context of the user who built the Sendmail software. There is no evidence that the process is persistent after a reboot of the compromised system. However, a subsequent build of the Trojan horse Sendmail package will re-establish the backdoor process.
II. Impact
An intruder operating from the remote address specified in the malicious code can gain unauthorized remote access to any host that compiled a version of Sendmail from this Trojan horse version of the source code. The level of access would be that of the user who compiled the source code.
It is important to understand that the compromise is to the system that is used to build the Sendmail software and not to the systems that run the Sendmail daemon. Because the compromised system creates a tunnel to the intruder-controlled system, the intruder may have a path through network access controls.
III. Solution
Obtain an authentic version of Sendmail
The primary distribution site for Sendmail is
http://www.sendmail.org/
Sites that mirror the Sendmail source code are encouraged to verify the integrity of their sources.
Verify software authenticity
We strongly encourage sites that recently downloaded a copy of the Sendmail distribution to verify the authenticity of their distribution, regardless of where it was obtained. Furthermore, we encourage users to inspect any and all software that may have been downloaded from the compromised site. Note that it is not sufficient to rely on the timestamps or sizes of the file when trying to determine whether or not you have a copy of the Trojan horse version.
Verify PGP signatures
The Sendmail source distribution is cryptographically signed with the following PGP key:
pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002
Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45
The Trojan horse copy did not include an updated PGP signature, so attempts to verify its integrity would have failed. The sendmail.org staff has verified that the Trojan horse copies did indeed fail PGP signature checks.
Verify MD5 checksums
In the absence of PGP, you can use the following MD5 checksums to verify the integrity of your Sendmail source code distribution:
Correct versions:
73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz
cebe3fa43731b315908f44889
8b9c78122044f4e4744fc447ee
As a matter of good security practice, the CERT/CC encourages users to verify, whenever possible, the integrity of downloaded software. For more information, see
http://www.cert.org/incident_notes/IN-2001-06.h
Employ egress filtering
Egress filtering manages the flow of traffic as it leaves a network under your administrative control.
In the case of the Trojan horse Sendmail distribution, employing egress filtering can help prevent systems on your network from connecting to the remote intruder-controlled system. Blocking outbound TCP connections to port 6667 from your network reduces the risk of internal compromised machines communicating with the remote system.
Build software as an unprivileged user
Sites are encouraged to build software from source code as an unprivileged, non-root user on the system. This can lessen the immediate impact of Trojan horse software. Compiling software that contains Trojan horses as the root user results in a compromise that is much more difficult to reliably recover from than if the Trojan horse is executed as a normal, unprivileged user on the system.
Recovering from a system compromise
If you believe a system under your administrative control has been compromised, please follow the steps outlined in
Steps for Recovering from a UNIX or NT System Compromise
Reporting
The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#33376]".
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.
This is a good reason to compare the MD5 checksum of anything you download, source or binary, to what the author says it should be, especially if you downloaded from a mirror. Better yet, the author could use GnuPG and sign the code with his/her private key. Since only his/her public key can decrypt it, you know that the code has very likely not been tampered with.
bytesmythe
Hypocrisy is the resin that holds the plywood of society together.
-- Scott Meyer
The fact being is, I'm a Linux Sysadmin and I can trust Linux to be trojan free. Linus Torvaldos would be held responsible for any malicious code, but he's so smart that that would never happen. The fact being is, basically, people this day and age don't want you to think companies are bad. You have to look for a problem in anything, the fact being is is that when you found your problem you can start the research and development project. The fact being is the denotation of research is to investigate exaustivley.
praise the Lord Jesus Christ Most High
Amen
S1R B4RD teh Hax
It's been a long time since I installed sendmail or inn or bind from sources. At some point I stopped checking MD5 signatures, and now I trust the major distros to do that for me. I sure hope they're more vigilant than me. And I used to be so paranoid... This is a nasty wake-up call.
Gentoo automagically checks MD5 sums when it downloads source packages during installs/updates. Very handy.
bytesmythe
Hypocrisy is the resin that holds the plywood of society together.
-- Scott Meyer
everyone says just check sums, but how are these people changing the file? If they can change the tarball on the server than why not change the page to have thier md5?
What?! It's not M$? oh.......
Does it irritate anybody (if you're very stupid) that hexadecimal is used in the checksum? Since you love decimal so much. Decimal is evil.
Well, If you don't mind using a proprietary program written by a person with the same level of maturity and social skills as a mentally retarded 5 year-old.
in other news, more open source advocates congratulated themselves on having provided more secure IT solutions than the closed source competition
Good thing I use Exchange Server. I've got a tight ship there.
Gasp! This happened to a non-microsoft entity?
Pack up the kids, Madge! We's goin' ta the mountns!
dell is a company of linux cohorts. that is why the install redhat on some of their servers. they suck the linus torvaldos cox. they probably installed nimda on their computers because they use linux on their installer computers. i know this because i work for microsoft.
That way when you get your software you know who put the security holes in it. It's all part of trustworthy computing... ;-)
We always knew it was a piece of insecure crap. so no surprise. Qmail or even mailx is MUCH more secure.
NO! NO! Please don't mod me, I'm too young to die a troll. *click* Oh the pain, the pain...
This is simply not true. Have you heard of for-profit software vendors _ever_ taking monetary responsibility for damage their software has caused through bugs? Never. They'd classify this as a bug, fix it, apologize and go on..... Just like Sendmail will.
It's also not true in the assertion that for-profit vendors don't send trojans or worms with their disks. Doesn't happen much anymore, but it was know to happen in the days before _everyone_ started using AV software (pre melisa).
TW
Further proof that security through obscurity don't work.
According to the advisory, it was only the FTP site that was compromised (The HTTP was fine).
So, as for those that are saying it's an Open Source problem, this is just wrong.
There's been alot more closed software distributed with Viri/Trojan Horses. The truth is, this is bound to happen if the public archives are on an unsecured server...I even seem to remember pressed CDs being distributed with trojans.
So, what are they doing to keep this from happening again?
1) They obviously didn't have access to the website, as the HTTP downloads of Sendmail were NOT compromised
2) It didn't get discovered for a week, so obviously no one used the check sums.
s200.org - visit it (me), love it (me).
Is doing a
# netstat -a | grep 6667
all that is necessary to see if one has a the open port, or is there more to it than that?
I considered doing sendmail, but then I remembered how fucking thick the ORA sendmail book is and how complex it is, so I decided, "screw it, let's try postfix, I have never tried it before." If I had gone with sendmail, there would be some serious egg on my face tomorrow morning. We might be running MS exchange within a week if that had happened.
(Oh yeah, and postfix was pretty easy to set up.)
Umm...yeah so some malicious code got through, but ummm....what about MS not releasing info on bugs until 3 months later, or how about them not being about to figure out why servers running 2k are being cracked(how politcally correct) left and right.
After reading the posting we'll note this is VERY similar to the OpenSSH trojan. The trojan doesn't wind up in the sendmail binary but is actually created during the build process.
So more than just checking the MD5sums of things you download you need to watch who you compile as, since the trojan will have the privledges of whoever compiled sendmail. This isn't exactly the most sly trojan either, it is quite blatent about how it creates a tunnel to a specified target, this can also help the intruder avoid firewall rules and detection.
If you find you've been affected by the trojan you would be wise to reinstall the system from known clean code since the intruder may have already created other backdoors from themself.
Ahem. Sorry. Couldn't resist. AAH! Don't mark it troll yet! Keep reading!
Ok, folks will say "Well here's a great example of a problem cryptography would prevent." Well as long as the guys inserting the trojans aren't contributing to your code base. Minor detail there. Keep in mind that a "trojan" can be as easy to code up as allowing a buffer overflow to take place (AND you have plausible deniability there.) Ok. So I'm paranoid.
So lets talk about the crypto side of things again. Since I'm paranoid and all that. Do you trust the project maintainer's system security? Reckon he allows anyone to log into his system? Do you trust their security and the network they come over? For that matter, reckon the CVS archive the code's stored on could be compromised? Do you see what we're up against yet? Paranoia...
Ok, lets say we've checked out his sytem and it's sterling. Key server/key management is a big pain in the ass right now. It'd be nice to have some infrastructure in place where I could go to a brick and mortar, establish my identity (Here's my passport, driver's license yadda yadda) and load MY PGP public key onto their server with their signature attached. Might even be worth a few bucks for me. That'd make that whole expiration thing pretty easy to deal with too.
It also seems to be that the US Postal Service would be the ideal venue for this infrastructure. As much of a pain in the ass as they are to deal with, it'd make the whole key revocation/renewal thing much easier. And it'd be a whole lot more secure than me asking my friends to sign my key via E-mail.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I used qmail on my servers, it runs very smoothly and I haven't had any problems since I got it properly configured. I'm still trying to figure out how to use SMTP AUTH though (it seems that qmail requires the addins of others to use this) and having to change outgoing mail settings on my laptop whenever I go somewhere is a pain in the butt. life with qmail details all the necessary instructions except for SMTP AUTH configuration.
/. would be so kind as to offer a good SMTP AUTH plug with a comprehensive set of instructions, I'd recommend you try it.
If somebody on
That's why I'm still running sendmail from 1996!
How long does it take for all the trojan infested code to propagate out of use?
I wonder how many admins download/install packages, go on vacation (missing all the warnings), and simply never hear of the problem.
I think it would be interesting to see some statistics on this topic.
If it's not one thing, it's Steve's Mother
I'd like to see a standard install procedure that doesn't involve granting unrestricted root access to every little 3rd party app/utility I want to install.
But OSS developers are too attached to their make install method. It won't happen.
Hell, I don't care about the maturity of the author as long as it works as advertised. Which it does.
Who's *really* concerned with the 'social skills' of a computer programmer anyways? Asshat.
Whenver there are security breaches in MS software the response around this place sure is a little different... Can't /. think logically for once?
Seconded.
Our mail server sent 9,094 messages to 124,932 recipients in the last seven days using the qmail/ezmlm-idx combination. It has carried a similar load every seven days for the past few years.
I don't think about it. I don't touch it. I never have to do anything to it. It Just Works(TM).
As for Dan being a bit of a boor, I've never had to think about, touch, or do anything to him either, so that's not an issue. Don't let his reportedly poor social skills obscure the fact that he happens to write great software.
Let's see, a Trojan Horse is basically defined as an undocumented chunk of code hiding inside a program, which does something that you don't know about or understand.
Sendmail is such a complex beast that, no matter how much you personally know about it, there are always things in there that you don't know about or understand.
So it has always been full or Trojan Horses.
This is the fundamental thing that's wrong with building a hugs program that tries to do everything possible. Pretty much all the other mail tools are better at sendmail in this respect, because they only try to be a mail tool.
Sendmail, OTOH, is an emulator for a rather complex sort of machine language. Some time back, someone demonstrated that it was possible to emulate a Turing machine with a sendmail.cf file. Impressive as this may be technically, it's way overkill for the task, and it shouldn't be any surprise to anyone when problems turn up in sendmail and aren't discoverted for a while.
It's guaranteed that there are others lurking inside that monster.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
If qmail was free software it wouldn't matter much. As it stands now, qmail users depend on the whims of a loon.
Postfix was written with the same principles
as qmail and its open source.
Hmmm. Except this looks a bit uglier.
Of course, the headline for that was very different. A bit more, let's say, sensationalistic. Yeah, that's the word I was looking for.
How do you check the signature and whytf didn't the cert page say how to!?
Seriously. What is the w0rld coming to.
Is there any evidence for both trojans being related by the same person/group?
A MD5 checksum is COMPLETELY IRRELEVANT. If the primary (e.g. trusted) provider initiates a build with a tojan included, MD5 checksums mean nothing folks... checksums are used to validate downloads, not the "content" of the download...
How 'bout a quick tutorial from someone who knows pgp or gpg or MD5 on how to use it to figure out if my recent install is trojaned?
Also, the CERT advisory doesn't give any fixes, it just gives the signatures. It doesn't seem like installing a good version would eliminate the trojan.
The script kiddie who put the trojan there in the first place is probably the same person who is posting all the OSS/GNU/Linux bashing.... Oh wait the person who is making all those posts probably couldn't script his way out of a paper bag.
(yes - this post is intended to be modded down - It was just a way for me to "express" me "feelings" toward the ignorant people who start those stupid flames. In the end it looks like they drug me down to their level - In that case - Bring out the asbestos suit!)
So be it. For the time being, I have a perfectly good mail server sitting at home running qmail. It sends and receives mail exactly how I want it to. If the loon suddenly decides to put some loony function in his loony software, I won't upgrade or I'll switch to something else. Options are great.
It seems like every time a new trojan/worm/misc virus hits the scene, a thousand posts go up accusing that software of being horribly insecure and advocating some other software of the same type as being better.
It's quite simple... software can be infected by viruses, open source, closed source, any operating system or language. Just because today it's Sendmail that took a hit doesn't mean that it couldn't be qmail tomorrow.
If you got a virus, don't blame it on the software you downloaded, blame it on yourself for not validating it first.
By reading this comment, you immediately waive any and all rights regarding it.
I did. It is Life with QMail on steroids. Plus it has a great troubleshooting section. And every part goes further into detail. The only thing out of date is the daemontools but if you can read the info that you download with it you'll be fine.
Buy the book, you'll thank me later. QMail is great but it's a very detailed process of installing all the associated s/w. relay-ctrl is critical as well (to avoid becoming a spam server for "Smoking your way thin" and "Get confident stupid!" seminars (ahhh I miss Troy McClure).
OU 17 TX 10
Here's what I like about qmail: in the three years since I switched our main mail server to qmail, I haven't upgraded qmail. Never touched it. I've had to make a couple minor configuration changes as our operation has expanded (new MX records, new rcpthosts - but qmail makes even this easy as it tells you exactly what to do in the bounce messages). Even though we get roughly five times more mail now (mostly spam), I haven't had to tweak it for performance or anything.
Compare that to apache, openssh or any other significantly complex software. If you're running an unpatched apache install from three years ago, you're rootable (don't get me wrong, I regularly deploy apache and openssh, but I also have to patch and upgrade them regularly).
qmail = more time for beer
And just to be annoying. If you had read the article you would have found out that this was not a configuration issue or even an issue with the binary, but a trojan horse implanted in the configure script.
However, I much prefer postfix anyway.
kc8apf
Big apps like sendmail and exchange that wants to do everything are always going to be bug ridden. Thats mainly because the code is so big that its impossible to have a complete picture of how everything interacts. Installing and hiding trojans in a large CVS tree is easier too than in a small tree. Learn from MS on this one. Do everything halfbad or one thing excellent.
Putting software on secure servers or better to put them on a community server would be nice. I can understand that coders dont want to tinker on their servers when they want to code but why not get some help?
HTTP/1.1 400
Ummm, I suppose the answer would be because they did figure it out several weeks ago.
Try keeping up with both sides of the news.
Ximian's Red Carpet does MD5 and GPG verification of packages every time it does an install or an update.
...if it was, we wouldn't hear about it for another 3 months, and then it wouldn't get fixed for another 6 assuming MS even chooses to acknowledge it.
Sorry but QMAIL is not truly "free". It has been dropped from the OpenBSD ports collection because of DJB's licensing.
Not to mention that you 'll need a big partition to hold
There are LONNNNNNGGGG threads about it on the mail lists
Don't take my word for it..Read them for yourself
I realize that qmail wouldn't solve the problem of modified tarballs that allow trojans to come alive during builds (that's what md5s are for), but if you're really worried about security you'd probably be using qmail anyway. If you can prove me, the author, and everyone else who has a qmail fetish wrong, there's a prize in it for you.
After the number of open e-mail relays I've had to deal with, sendmail leaves a sour taste in my mouth. Using the blacklist that has no real regulation on it doesn't seem to help, either. Closing a relay makes users upset. Sendmail is a lose-lose situation, and now there's a trojan in it to top it off. Wee!
Trolls make great pets. Adopt one today!
It isn't that complex to do it right, but as we all know, it's the human factors that get you. I'm sure GnuPG has all the functions necessary to implement it, but you need a trusted party with rock solid proceedures to ensure the top of the chain. What do people do for a CA for their signatures?
As long as you can be certain that: 1) You have the correct public key for the signing authority, and 2) nobody but the signing authority can get access to the corresponding private key. You can do it yourself by generating a key set for your own CA to a floppy and then making signing keys for yourself and your friends from there. You only need the public key to make a certificate, so a friend can email it to you, you get out your floppy and sign with GnuPG, and send the cert back. Keeping your signing keys off-line is a good idea too (if your paranoid, but who can afford not to be with this stuff going on).
Now, the only point that can be attacked is to compromise the CA's signing certificate (This is the CA's public key, signed by itself). If you squirl away a copy of it and get a new copy from time to time to double check you should be completely safe. You could use a public CA, but the commercial ones tend to charge a lot, so it would be nice to have a cooperative CA that does it on the cheap, but still does it well (Does such a thing exist?). Since someone is obviously getting their jollies by compromising distributions on public ftp servers, I'd be a little careful about setting this up. As long as the root signing key is safe (This is the private key), you can make lots of copies of the root certificate (on differenct servers, of course) and verify them with each other periodically.
With all of this in place it should be a simple matter to script the verification of signed signatures. I know I'm not the only person who knows how to do this correctly, so perhaps this is already done. If not, it looks like an excellent project for someone wanting to do this stuff.
(ahhh I miss Troy McClure).
No kidding. Phil Hartman's death was the Worst Thing Ever, and the world's worse for it.
http://www.postfix.org :P
Yup, I got slimed, and I'm not an easy person to slime. This dude is the first person ever to get one up on me. But I'll have my revenge. I diffed the malicious source tree with the authentic one and found the malicious code. It looks amazingly innocuous until you base64 decode the shell script :-). His IP address is 66.37.138.99.
>Well, If you don't mind using a proprietary
>program written by a person with the same level of
>maturity and social skills as a mentally retarded
>5 year-old.
Don't forget "that hasn't had a new release in over four years and neglects to implement a lot of basic standards like authentication or encryption".
Matt
>It is still funny, simply because it is yet
>another sendmail problem.
Yeah, and if someone breaks into your house and pees on your carpet, it's yet another carpet problem.
Matt
for those of us too lazy to make the extra click -- we thank you.
there was a single DoS one that i know of, but other than that no exchange 2000 exploits exist. i've never heard of a total remote access exploit for 5.5 or 2000.
outlook web access / iis is the only source of problems, but that's all iis' fault.
(see title) would be nice. Does it go into some detail on SMTP AUTH? I generally don't spend cash on things I can probably muddle through on my own, but yes, making myself target as a bounce-relay for "get a 10 inch dong in no-so-long", "make your weiner meaner" ads would not be good.
/. help would probably do me just as well as a book in regards to AUTH, or perhaps just a little more looking for a decent documentation site.
Still, a little
is anybody aware of a statement from either that certifies a make build/make world from stable sources in the last few months WAS bugged?
MD5 Checksums have a higher rate of collisions, both in the wild and artifically. A machine can be built for only around $100k or less which can find collisions in less than 24 hours. Hell, in a few years standard computers could probably generate collisions easily. SHA1 (Simple Hash Algorithm) is a much better alternative over MD5.
The previous version of MD5, MD4, was so flawed it is now considered "broken". "Dobbertin [Dob95] has shown how collisions for the full version of MD4 can be found in under a minute on a typical PC... Clearly, MD4 should now be considered broken.".
SHA1, while of the same family of hashes as MD4 and MD5, remains uncompromised by any research discoveries, and is widely used in many applications requiring the highest levels of security.
Gnutella, the File Sharing Protocol, uses SHA1 over MD5 for the same reasons I state here. A developer of Bitzi (the Metadata/Hash catalog) has also recommended to the Gnutella Developer Forum not to use MD5, but SHA1 instead. Thus, people should be using SHA1 instead of MD5. I've noticed some major websites and companies are using MD5 hash's now, such as Adobe and Roxio. I would recommend to them to change them to SHA1 instead, since Gnutella supports it (and the fact that it is a much more secure and stronger hash algorithm)... and they can use MAGNET URI's to link to the files on Gnutella.
If you had read the advisory first, you wouldn't go shooting your mouth about how overly complex Sendmail is, or how its possible to create a cf file that can emulate a Turing machine, or how it used to be full of buffer overflows, etc, etc. The build process was trojaned... even the news posting mentioned that it was just like the OpenSSH trojaning. The actual source code files weren't altered, just the makefiles & scripts. You should all know by now to block port 6667 on your firewalls, waste of fricking time ;-)
Anyone seen my low uid? last seen 10 years ago while panning the #@$# out of Taco's 'web based discussion system'
(sorry, I have to get this out of my system)
...
:-)
READ THE ARTICLE AND REALIZE WHAT IS GOING ON!
It says that:
The FTP-server of sendmail.org was compromised.
It doesn't say that:
- somebody commited code to the CVS server.
- nobody reads the commitlog of the CVS server.
It says that:
The sendmail-distribution was trojaned.
It doesn't say that:
- sendmail itself was trojaned
- there are trojans inside sendmail
- qmail/postfix is better because it isn't trojaned.
- exchange is better because the source is closed. It's the distribution which is corrupted, not the software.
It says that:
The correct MD5-checksum is
It doesn't say that:
- with PGP signing it wouldn't be prevented. Security is a process, you need to follow the rules or you are not secure. You should check all checksum/signatures you have, preferable from independant resources (e.g. one from sendmail.com and one from your unix-distribution).
Next time, please read the article and realize what's going on before you post (apologies to the people who actually did
Edwin (yes, the guy from the OpenSSH trojan)
bash$
...does a troll like the parent not get modded as "Troll".
Or should it be "+1, Funny", and I missed the humour together with the crack abusers known as moderators?
-f
www.blackant.net
And what does the trojan do ? How to detect it ? More details ?
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
I have made the backdoor'd sendmail code available at http://www.enzotech.net/files/sm.backdoor.patch and the base64 portion is decoded at http://www.enzotech.net/files/sm.backdoor.base64.t xt
This was diff'd from a previously downloaded tar ball that we were using for analysis of another bug.
That carpet... it really tied the room together, man.
</ lebowski quote>
I was wondering if anyone would think the same thing I was when I was writing that comment. :)
Matt
"I've got PEOPLE SKILLS, dammit!"
> does anybody know if either tree in the last couple months had trojaned code
> in it, exploiting make builders?
Not affected. When I committed sendmail 8.12.6 the tarball I fetched
was not the trojaned one. Even if it had been we probably would
not have been affected since we don't use sendmail's build system
(which is where the trojan was apparently inserted).
- todd
MD5 checksums are good for detecting corruption - bad downloads, etc. They don't help against tampering, because the Bad Guy can also tamper with the checksum, unless there's some separate distribution method. That's why public-key signatures are so important.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
FTP servers have a reputation for bad implementations, though perhaps I'm just annoyed at having had a wu-ftp crack let my machine get hosed a year or two ago. If it wasn't an inside job, then it's likely to have been some exploit like that - which is especially likely, since the HTTP server's version was clean.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Well, that's what happens when you FUCK A STRANGER IN THE ASS LARRY!
--
Freeper Logic
for those of us too lazy to make the extra click
Too bad I already did.
Do you care about the security of your wireless mouse?
You know where you are? You're in the $PATH, baby. You're gonna get executed!
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I downloaded and installed Oct 4th. I checked the PGP signature. It was bad. Then I remembered that they sign the tar, and not the tar.gz like most. gzip -dc, and sig was good. My lucky day...
Now if I just had a line of trust to ensure that the key I used to check the sig was good... Any of the 20 or so people who have signed that key care to show me a passport or drivers license? I'll buy you a cup of coffee...
we need more protection to Protest us from these Trojans!
Wait... Protest us FROM....
But... the ads said...
"PC Load Letter? What the $@#% does that mean?!"
I think sendmail.org should up the version number at once and kill the .6 version once and for all. That would allow many people to look at what they have and say "yep, its .6, throw it out" but they want to keep the old version number so people get to play games. There are many reasons why they won't have the origianl tar ball and they have a very simple way to insure people don't have the trojaned version.
I download the tarball and MD5s. Then I want to verify the signature. For that I need a public key or something like that of the developer that signed the tarball.Since I never met him, I must resort to download also that from an internet place, probably the same from which I downloaded the source.
Now, what prevents whoever cracked the server and placed the troianed tarballs on it, to also change the public key, so that it matches the couterfeit signed tarball?
At a minimum, one should go to some forum/ML and check the key with a dozen or so other users, choosing the ones that got the key in different places and times.
Or am I missing something ?
Ciao
----
FB
You must be use to MS who has to do contsant releases for bug fixes and more money. See, sometimes software can actually become stable. Unlike Sendmail which is about as stable as a elephant in a raft.
Why should anyone be able to trust Sendmail anymore now that they're own version has a trojan horse in it?
Would you rather use a stable mail server that has really no known bugs in like 3-4yrs, or one that is contantly updated and has had a trojan horse?
Hmm. lets see.
WTF? Do you know any about qmail? I run qmail on a 8gig hard drive and only about 800MB is used and most of that is non-qmail related. I dont know what the fuck you're even talking about.
/. troll.
I think you're just a typical
Lots of people are mentioning postfix and qmail - personally I'd recommend exim (www.exim.org) which has proved itself everywhere I've used it, to be an excellent MTA. English config files, flexibility, all manner of database lookups as well as flat files, speed and reliability. To top things off it's an easy migration since it works as a drop-in replacement for sendmail if you so wish.
--
ALL YOUR BASE ARE BELONG TO US!
I mean, would even the most sociopathic malware coder want to get on the wrong side of Dan Bernstein? That man is scary. :)
"Are you being weird, or sarcastic?" said Emma. I said I didn't know because I get the two feelings mixed up.
Are you certain? :)
Do you like German cars?
Please go back and crawl under your rock now.
Thank you.
Someone ought to start doing back-trace and see how that trojan horse get inserted in the package.
This "insert trojan horse" practice is becoming serious now. First it was OpenSSH, now it's Sendmail.
If we are not careful enough, next time we may see distros coming up with trojan horses all over the place.
Just like a chain will only be as strong as its weakest link, security will only be as good as where it breaks down.
Back-tracing is a must, in situation like this !
Muchas Gracias, Señor Edward Snowden !
don't be frustrated: one day, for sure, you'll succeed the mandrake installation process.
ahah.
In building a server for "production" use I generally download all source on one system, burn a cdrw and then put this burned cdrw with any downloaded source code, updates, etc into the server I am working on.
The server is only connected to a small workgroup switch with no connection to a public network.
Only when the server is installed and patched to latest revisions does it ever see the public networks.
No, I'm an LFSer so I compiled it myself. However, I can't find any evidence that the cracker actually bothered with my system. No warez, no modified passwords, nothing suspicious in the logs, no suspicious timestamps. Of course, none of this really means anything since I was negligent enough to compile sendmail as root and root can reverse any of the above. For all I know, /usr/bin/insert_obscure_utility_here has been modified to make me a drone in a future DDoS.
On the bright side, I tested the malicious code and it seems to error out on my system, but I can't be sure since port 6667 on Eli's system is no longer open.
Oh, and Eli - perhaps the cat is responsible. My port scan of you indicated no obvious vulnerabilities unless your OpenSSL is unpatched. But Snuffy has physical access, no? Also, perhaps you might want to put a disclaimer on your webpage?
>You must be use to MS who has to do contsant
>releases for bug fixes and more money. See,
>sometimes software can actually become stable.
Actually, no, the last time I ran an MS product at home for any length of time was DOS 5.0. I used NT 4.0 at one of my jobs for a period, but that was only to run a 3270 emulator for accessing the mainframe.
For the record, I *do* use qmail in a production environment, for thousands of domains. It requires a lot of patching to make it a usable product.
>Would you rather use a stable mail server that has
>really no known bugs in like 3-4yrs, or one that
>is contantly updated and has had a trojan horse?
Actually, I'd rather use a mail server that implements at least SOME of the standards that have come out in the past seven or eight years.
Stable doesn't mean jack shit if the software doesn't do what you need it to.
Matt
Maybe this is Microsoft's new tactic at attacking OSS... make it look insecure and unstable by sneaking in bugs, trojans, virus, etc. I wouldn't put it beyond them.
RH does sign all its rpm-packages, but the signatures are not checked automaticly when you install some package. With up2date they are, but with rpm-program you need to use --checksig first.
I doubt if even 5% of rpm-users uses --checksig ever.
rpm should be changed so it always does --checksig integrity check first automaticly before installing/upgrading any package(s), if not implicitely some option would have been turned off in the configuration file or by a command line argument (--nochecksig)
An unreported trojan was in place of a kernel routine with allows admin access in a known major closed source software house operating system...
Check it out here. -dave
Give it up, Mulder... Not everyone is out to get you
No sig for the moment.
If files from ftp.sendmail.org get infected, then people could probably get a bogus key as well.
This difference, though, is that one can download a public GPG key from a site (like sendmail.org or something) and continue using it to verify software over several versions.
Not only that, but public keys (or even complete keyrings containing public keys for groups of developers) can be obtained from multiple, different sources, all of which in turn are different and ideally independent of where one downloads the source tarball from.
This means one can obtain a developer's key or keyring from, say, a public key server (or two, or several), some ftp site (preferably a different non-mirror one from the tarball), a purchased CD, or any number of other places, check them against each other (make sure none disagree), and use them to check a download immediately, as well as 5 years from now.
The cracker would have to not only trojan the tarball, but also break into numerous independent key servers around the globe, numerous ftp sites around the globe, likely numerous web sites as well, and perhaps even various freenet nodes as well (if that is being used to distribute keys as well). And for those who anti up $5 for a CD with developers keys on it, they'd have to intercept the postal service and swap CDs as well (or crack the master CD before it goes to press).
Good luck. Even the NSA would probably have trouble pulling something like that off.
The Future of Human Evolution: Autonomy
I don't see how you can begin to compare this security problem to the hole in ssh/ssl.
You see in those cases it's a standard unchecked buffer problem, which is exploitable.
In this case a virus was deliberatly planted in a distro of some OSS. This is a much much bigger deal.
yea, the carpet should self clean itself instead of letting the urine stay
I sent a story to Slashdot about this trojan in the "Official" BitchX source tarball and you idiots just ignored it... so I mentioned it in several places on slashdot so that somebody might be saved the embarassment of running it.
./configure.
/etc/passwd.
I reported it to the "proper authorities" too, so don't anybody get on your high horse about slashdot not being the place to report these things.
The trojan is IN the configure script, and it
gives a remote IRC server a shell on your system
owned by whatever user ran
The address of the remote server is liable to
change from day to day, so the md5sum of the
trojanned tarball can change.
There is another version that makes a call to
'mail' instead of running the backdoor.
In any case the trojan can often be found by
grepping the string 'passwd' in the configure
script, since both the mail and IRC versions
both read
Basically, from now until doomsday it is absolutely necessary to run a packet sniffer
while you build, install, and run programs as
root. Sad but true. The jokers who are putting
this trojan everywhere will go as far as hijacking DNS to do it, so it's going to be around for awhile.
/me *yawns*
Ohhhhhhhhhh!
First OpenSSH, then Sendmail...
Consistant use of best practices everywhere would prevent this, but that just doesn't happen. I don't actually use Sendmail (prefer exim), but I do use OpenSSH, and either way, these are both major applications... when is GCC going to be trojaned? And then will it be a week of compiling other apps and kernels and modules before it's discovered? I hope not.
That said, I'm not running anything but Linux/BSD and OpenSource software... wouldn't have it any other way.
-yb
However, people would probably not fetch the public key from the same place, but from a keyserver. That helps a bit, but not a lot. There is nothing that stops anyone from generating a keypair with the same name and address as the original source, and quite possibly, you would see the file verified, but still by the wrong key.
Even if you would have two public keys, you would have no idea which one to trust. So, signing is no magic bullet.
We have to get much better at organizing keysigning parties. Keysigning parties are really the key (yeah, pun intended, puns are cool! :-) ) to this problem.
Gather friends every now and then, make sure you have a printout on you fingerprint on you at all times, whenever you travel, try to find somebody to meet, and so on. That way, we will build a web of trust which is so strong, people can identify valid keys, and then we're an awful lot better prepared to face this kind of problems.
Make sure you sign up at Biglumber, that you check it when you're out travelling, and that you subscribe to the "keysignings" list to keep up to date when things are happening in you area.
And, then, I'd really like to see my distro check sigs by default.
Yeah, and my keyid is 6A6A0BBC.
Employee of Inrupt, Project Release Manager and Community Manager for Solid
Sometimes I wonder about those ./ points. Being offtopic, this one got still 5.
You do (sometimes) publicise non-MS vulnerabilities.
These apps are only trivial as long as you want to modify your production systems to run exactly the way that djb thinks they should. DJB software is poorly documented and more trouble than it is worth.
Anyone know?
"With Microsoft, you get Windows. With Linux, you get the full house" - unknown
durf, durf :(
Electricity is actually made up of extremely tiny particles, called
electrons, that you cannot see with the naked eye unless you have been
drinking. Electrons travel at the speed of light, which in most American
homes is 110 volts per hour. This is very fast. In the time it has taken
you to read this sentence so far, an electron could have traveled all the
way from San Francisco to Hackensack, New Jersey, although God alone knows
why it would want to.
The five main kinds of electricity are alternating current, direct current,
lightning, static, and European. Most American homes have alternating
current, which means that the electricity goes in one direction for a while,
then goes in the other direction. This prevents harmful electron buildup in
the wires.
-- Dave Barry, "The Taming of the Screw"
- this post brought to you by the Automated Last Post Generator...