TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

tcp_wrappers advisory



From Linux Today (http://www.linuxtoday.com/stories/2488.html):

[ headlines | features | commercial | security | contribute | advertise
| search | site digests | mailing lists | about us | link us ] 

 CERT outputs advisory on TCP Wrappers
  Jan 22nd, 00:04:00 

     From: CERT Advisory <cert-advisory@cert.org>
  Subject: CERT Advisory CA-99.01 - TCP.Wrappers
     Date: Thu, 21 Jan 1999 21:08:48 -0500
       To: cert-advisory@coal.cert.org
 Reply-To: cert-advisory-request@cert.org

 -----BEGIN PGP SIGNED MESSAGE-----

 CERT Advisory CA-99-01-Trojan-TCP-Wrappers

    Original issue date: January 21, 1999
    
 Topic: Trojan horse version of TCP Wrappers
      _________________________________________________________________
    
    The CERT Coordination Center has received confirmation that some
    copies of the source code for the TCP Wrappers tool (tcpd) were
    modified by an intruder and contain a Trojan horse.
    
    We strongly encourage sites running the TCP Wrappers tool to
    immediately verify the integrity of their distribution.
      _________________________________________________________________
    
 I. Description

    TCP Wrappers is a tool commonly used on Unix systems to monitor and
    filter connections to network services.
    
    The CERT Coordination Center has received confirmation that some
    copies of the file tcp_wrappers_7.6.tar.gz have been modified by an
    intruder and contain a Trojan horse. This file contains the source
    code for TCP Wrappers version 7.6. This Trojan horse appears to have
    been made available on a number of FTP servers since Thursday,
January
    21, 1999 at 06:16:00 GMT.
    
    The Trojan horse version of TCP Wrappers provides root access to
    intruders on port 421. Additionally, upon compilation, this Trojan
    horse version sends email to an external address. This email
includes
    information identifying the site and the account that compiled the
    program. Specifically, the program sends information obtained from
    running the commands 'whoami' and 'uname -a'.
    
 II. Impact

    An intruder can gain unauthorized root access to any host running
this
    Trojan horse version of TCP Wrappers.
    
    Note: If you have already installed a Trojan horse version of TCP
    Wrappers, intruders can identify your site using information
contained
    in this advisory. Please read the "Solution" section and take
    appropriate action to protect your site as soon as possible.
    
 III. Solution

    We encourage sites to verify the authenticity of their TCP Wrapper
    distribution, regardless of where it was obtained.
    
    You can use the following MD5 checksums to verify the integrity of
the
    TCP Wrappers file:
 File: tcp_wrappers_7.6.tar.gz

     Correct version:
     size 99438      MD5 e6fa25f71226d090f34de3f6b122fb5a

     Trojan Horse version:
     size 99186      MD5 af7f76fb9960a95a1341c1777b48f1df

    Note that it is not sufficient to rely on the timestamps of the file
    when trying to determine if you have a copy of the Trojan horse
    version.
    
    Additionally, the file tcp_wrappers_7.6.tar.gz is distributed with
the
    detached PGP signature tcp_wrappers_7.6.tar.gz.sig.
    
    Wietse Venema is the author and maintainer of the TCP Wrappers
    distribution.You can verify the integrity and authenticity of your
    distribution with Wietse Venema's PGP public key. We have included a
    copy of his PGP public key below. Note that the Trojan horse version
    was not signed, and that Wietse Venema's PGP key was not compromised
    in any way.
    
    We have verified that the distribution of TCP Wrappers offered by
the
    CERT Coordination Center at ftp.cert.org was not involved in this
    activity.
    
    TCP Wrappers is available from our FTP site at
    
      ftp://ftp.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.6.tar.gz
      MD5 checksum: e6fa25f71226d090f34de3f6b122fb5a
      
    As with any port, if you are not using port 421, we encourage you to
    filter it at your network perimeter.
    
 Wietse Venema's PGP Public Key

 - -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: 2.6.2

 mQCNAirDhV8AAAED/i4LrhQ/mwOgam8ZfQpEcxYoE9kru5oRDGtoVeKae/4bUver
 aGX7qVtskD6vwPwr2FF6JW2c+z2oY4JGPGUArORiigoT82/q6vqT0Wm1jIPsXQSB
 ZCkBoyvBcmXEi+J7eDBbWLPDxeDimgrORbAIQ4uikRafs8KlpNyA8qbVMny5AAUR
 tCV3aWV0c2UgdmVuZW1hIDx3aWV0c2VAd3p2Lndpbi50dWUubmw+iQEVAwUQNEfn
 hgyPsuGbHvEpAQExUAgAkAZTAVqzICTlVMggjsG9NghqC0FPqO2s9BQLXH3lQDdQ
 C2tOx1CYvL3pB8X77alh18/HnUd6PNkloHC2fqNo5eNyuVDeUpvW+mz6IRlndnJU
 kLVx/Kzu+h3TooWlX/BSc+k0XsQJ7mpP4QeWvoHll50rBPVLYnv4ODbZh0z5jYfr
 Yq2n/05vi5nRdz2gXqRRIorfD46a5n+gQNAvrwhKMRZeyqEfOCtQ+UjMH7tyGG0N
 +suzNQtBjypEZkB8OFEQB1Q3RatQlWx55JOfmcba0JBY9umOuNoDPldvIgMbExRP
 5tN+qOjsHbm723S1kybyQKEbQgx3pDA3xiz9SBFqjYkBFQMFEDRH59NGYudYIBG4
 eQEB3XMH/RXG4wFjy32JDJPaVmS14Ax53VGOBUDLZo9Uv8lG3uTIe886lLeDqWA2
 fHyyUFwUBC917NR0D9HCTAAQ5PZYO7kOV5JMSLWoxyLYRimHcUnhfBJ9XthVvjvH
 NuItWWXVLND0UjTkmHJSCtTxcM6Yo7NuisIJOYcnRameWK105FPb9i3ATaEejM8C
 NPfgiHp9Krv5EVfAHJ+gBy/q4kKqQYFZgdbogVS5aKQJiO5imGEtxGl7qSxfC1WJ
 TmrauU/8CbBQM6MvifnIep+LI+IBLwDFSByZDPR5dakjeCGMnNtj2XYEu0mWtz/5
 DHOIDGz9whNF1DBUBbHM3BEuUai87eWJAD8DBRA0R+e9YVgWxTrOVf4RAtpXAKDK
 jQQ4a7pxrgLA63H4XHhfCNC9PACghwiSLYqPdnsyMM+LN/I3su2zF7OJAJUDBRA0
 R+f8d6a8PicAdv0BAXNeBACgGcN9znLn0yHysY852uUntwMS9CAlTdSLkiRaf1gM
 sV+VQipFvSzS+rmg/DtiWDJ46Z5ffJe6rMnIn59yGgmkelj6hTDi3eGcarGnIFQJ
 PG61JmfdTxtyQ5lY5zpNoBnKwVHCYBoMvpvoe0axVhQm23+j/qll44jcnORmqcYD
 YIkAPwMFEDRH56iWgad8PVLgfxECrc8An2xiSfGbEsocbX5eOUkTc6jYiRwCAKDC
 FIaSRaNnmB3sHPaj0TnaGri6h4kAlQMFEDRgoatWKpzSj2i9yQEBKQkD/0Znfn9u
 jEPIpUpPLO1HvFX16IMx+JXYQcFakporAmvNzw28a351cWNQOTSr0ZS+8G6YNXEQ
 WUeI2NE96gIpUmb6m2XNJ5ucdLRG2PsSwwcYtuipRXaR3aHrLwPRDEdlo0ifC+Bm
 mV80LrTsnCfR1XvuCGcFkA//BNnXYJnjM36EiQEVAwUQNEUD2zw9PaeQSTXpAQGX
 gQgAhlqfuv/aWGeP9Qgdtlq688sP9fADmwzQdQ98lbOL184eW7Or+Dunynh89Sn0
 yC90AfwiI3/E75YIZJA4x6qjMan+3p8mNw8WtkUWYZOQ/A91tXQflo/EFqliR4mx
 HKmWqubsXzIL6fW3vxC/gQnlNKE3Rx53vwxMMK8u3LFDdLQu0OpXOkmAa4qZh+Pi
 DXa77DPYToHcxXeOIvAm+mSqxuBK9URKlGDq4snS3XnlmfdySz2oEsFPN5MUOvQV
 gyeHl7aRysa/C8d7tq+FLWN8fQcLpn/3hXHUygdW4KogGVUDFMpckLv1E161AT84
 R+fK9ztWoi85CSkFwCESiO8vj4kAlQIFEDBqt5TZp9pcfgqygQEBWvYEAK7oHPhv
 4ChPzquWue9maG22iOBO+mJJ6ReKriydzcUUzwwLAEDnzN7TJaWBj7f/M6anrTqT
 UxJWcm5R3BzSPecLmM9FN1B+zsJjhqA/BbTjfr7lDuWzplLI55SlezHrSD2Zdh7f
 NZp6LjoLWhApUCtwY5JqofYEVutSHLjKnKwAiQEVAwUQMQ6i0ee7tRpdDUB5AQGA
 Hgf+MXxcTTo73zq7Iy3n23JjkRYuGRScRyxHPrM4CvCfpxGZ0KqXFydkGjaV2NxW
 BUdjZzzrXqExTv/w6l/b/TG5WDqOSkSmmIYYc1c1oaKvbPpwimkzREK9QZABibK8
 OA+TN8E2Or7v8/DuwWRVfDdmhblf98PH29wAYvNAwGlftnzfsdOILTxHySZ0724Q
 YWDHM876sJ7lvzZ1sPUkv61blq1etB0VrRUJ0YewaqhP/Jmn45ldHRdxjzN8yrzq
 u4rzrHx1LJb6j/mHSH7soEwEKpHRCtZNY+PtLcKheFxiFweu8OAMsm574wmybEGr
 2EICSA0p4I6UswT0Rcn7Oba/1YkAlQMFEDEOojNOQewbPzG6VQEBXkoEAIoRVBm5
 /LmOiOyeB+968KyOPVxCXHZqKePwjt32sz/ozKQUfjvxGE1x2G9gAdSFlfI3qjL3
 Iw8MPYspX10nUYbtvcT4QBci6vd/gAut6d1pwl/Rz/ui0HqbjvBxEzLFKNm3ssIp
 /FeNyBBO8KZFd+h4Yqc4TqkjiYOnR6CcatI6iQCVAwUQMHjnn+Tyai8iNKttAQHS
 IQP+L5lquZYfWQfcYjS+NTTCXC8fSolynnsJfy589knPeQOjxKPv9IdU0bXXzRPh
 wXoCftxm08/qrFEzRmLJX8Nbs4VVcJHt1VnoIo+Fu0ASn6JV0f0HiDhPWCJerBYl
 wrqTYoPEC8hWGQr93ARda4O83KZ6QQqBFXuKgYHxvHnTTMGJAJUDBRAwc68SAk+E
 axRt4o0BAZSCA/9bYDgwudU+uFf2/e2GAUT1gxTHhSPgSKlg8Ca8p6AJeaqB3YvJ
 wBgFaqYNNOm0XGl4K2uWXJURTA8rboS+UrN7+besnbLpUZ3WnxIWPMhU0eK4x67M
 SH2tSrtz0fZtnOpIkZ0FvPMC/W4yidnGgwT3hxbHjznFH7FE3GYOvWyM/okAlQMF
 EDBvvvQx/7eDRBO2kQEBBZwD/jlqZbO1LjpueWSMijLF3ntCm617IcEfG6xz0oRM
 M2GEBtgtIIrv5YaTLy8jYPyu5edvvyc/sfcuFBw33wzxThuCfUIqzS/TwjgqSoaT
 L1+Rl3h4g+VTSteSWg/+fCfAp5T50DH1Uq3JqiV9lzwdgTK5uMvYmwG8ZHln6ju2
 F2E4iQCVAwUQMGqp+hrbNNwC+IyBAQHKggQAtoLHXDwYB2aPM4W3VGdBkT4jm8o1
 XgvqaFv/X+7xZKF9UgWRPRFqF88WeZRA2mZb/DxrmuckFsvqhJuvjEvKbr93QYuX
 dZG/e7am71WXLBKSPnvsoJY51eT7XrDI6hmqvWcYbngHpHzY+ZB6N9h7qcGw1zRw
 t4/Kxbp6nxlFAeqJAJUDBRAwal9L6CVK4w9Ml3UBAY4sBADTn9fOYlwC7iVJVd/z
 GMZyW5gvif9PKw+Grfn8S02x9i1OlqX1cgxJkMWoXpQCilQ4jyStv3LekhJ2Btp5
 kUCiColOZO4NOb7n0Iuwsnx1TkLl75RWZKDc+7gxA5PxCnzFE+y8O6i4pSuzzhpF
 qz4cEnRQ4D+Klrqu+3p43rfETYkAlQIFEDBoJ+kiUZbZZm0AUQEBpNkD/jEfKwJV
 xoFTakdUkIyprrZg3uYBTbhwf0rSynUVjm+X3KCbKROEyx6GskzH09D0LT+gTi9z
 Z9RrzXv1/yeO/6wte1WZT+vNLhvGrO4yniYm+Os5zSa+5aW/fyHilE02ZNk20r+H
 hY6aOmZQ8UXGv+U5ryg48UuGfe920UndQiuYiQCVAwUQMGnKYLnzJzdsy3QZAQGz
 lAQAuIRJhf8sAkuy3PeT9UuXvt1uUHwTiEkrDdbFnBQOfmkVxcQOP82gzgWYk5ii
 wlTmgT4euodekIzMrMIxqQsqyhvwxxbtD+k3aHFtocrvRUTShO51g8fiQcN7CTbE
 eTa3azUpMbiOWnvFTOKqfgAGn039smgkFIojywX7NdE+g+GJAJUDBRAwacpBYmX6
 SAdWdFUBAT1dBACeuV567rcGe4rE3Bjl629lWr57C9NtHOfKh63KT1xUHM6f0elq
 IfMWBCXTNAmS/rpQ7bjg7+WbWYYct2YKSizpP9/eyFq0Ax2cFzCBi8c2DdUuszEy
 PdvX6ZSvXMkR5Z90bLbeH26yzacnyF1MdD0wtAqdtOcs6xHCrfyKl/7CmIkAlQMF
 EDBpx1AEJn15jgpJ0QEBCUcD/0gEX5BCjysfVNjRHLibxwv46aqFGf4FED/ZyJEb
 jC6szt0q2jzOGZUhMsyYNqmoCSdj2mGDd2AG01HxJRqVpkvaMv5O4XYOvC9oQTwv
 8+5EV0Be2HZ+Jfl9Xpyl7TG+3ClQXpUH21C5suiWOTEsexq7a3YvdULELqtlQpBo
 pianiQCVAwUQMGf966NsRd57vOpJAQF8ngP9GTFx5J+57n9SsISC/32GleMy0g3l
 HJTrjtWnxIOt28DTXI9VxOmaRIh002PJG8d2esFq17DXxJf60M43s14F/6ct/PmB
 2psgIayaW+1Mj1FtBAUr4cKsfGZytcKqrHoMvSp7rZHhfgVy/xLMKKCmm+c7xdYJ
 Sgbicrpwq1IBuDGJAJUDBRAwZ/wvO3/HvM52ax8BAR+WA/47Zw6LyUQHR0HqikBZ
 mu1vTfgG6seat/93V8z2kA80f++FbKisJwzqxUzJ27ERFAgOdbTPGWwuCeWkszd7
 TSBVzfoAosU//H1cbIULmD9jv7DLh6lQx+RUEdlD7zkUiVkmhU234AjnzWx1dfLi
 g5iJomAE1qLskvbi1k5TRI3St4kAlQMFEDBmoqxYl6t82lyyQQEBekIEANKfx56q
 zeVCa9eIic4j2FXpJC5nYUOcdShPkhKWpDZMxNHT5S/gyqZFtgMvqbqKcDsxmtsF
 jpHJr7QX1lKBYTAzGUtSPOgb2BiJbHwHfK3GH6TfKqNHt9rYERvBbaekyEEBS8Ds
 Vcw1ZTgi/gIBSN83NkLJuc09i/nHg939hdr3iQB1AgUQL8wq2mgPK9CjLmKhAQFv
 1AL/bL+vtlG61Dtmu8/kv5HkPiOVqfiomUYI1OfF0amJUNKgBadhdbJ40QGMuhhX
 HlWyb4/MnSt4aujnwA8sKhtRKtJHKvjjLf+LTmdMol2wnoK072lLpFumX7aJ3pS1
 4aUgiQCVAwUQL4l3ERPcEwSgd4ahAQFt+gP/Zsee/uKXvtMxG5DSCgKpnU9p9QGV
 4gnP9bCydQ+brmepEuMSuj9c/VFzHlYLXpJs9ZhfCbjNuuVRyjQIVj3Jbq9s4Xwy
 hxc+Q0xglMUhjm18ycJ8PPgkx4e8FdzcSuZfaFI6hH0Er7Jeh/8HOyrKSlsqrGZO
 y0HGAuKOWQKP+ZCJAJUDBRAviBbrym8rg/wMAtUBAaEvA/0ZlxCa1Ka/6BQMxaMz
 +xdbDPdcbcntpcyuERm2FMY5a2bOr1j4Rpic3zc1+Q9N6ZQA5FJOpWvHB0xXUw5b
 No6aG1VAHrmV51jmIUYVJy+DTmXZela9nGHfiM33RvdttDsvox6HTe/teo+fzP3s
 6MQaWScLDx33RezVTmVSBk22WYkAlQMFEC99GmfcgPKm1TJ8uQEBJzsD+waYQmJK
 G0btGU0+GUTg+bRMSfCGwb9p9vbwnXQIPlQrsF8Bozm8IyFGWxsfKT8dRljqmAEw
 KLhaFgYdFrnliuYfmVMw+nSpdpTDVE0N4d7hd8mTN+WCvY0g6x9rv1uBPKK6lPgW
 oZHskbzNLwiDXZ5vPKdoSCCIi3aQkCQd+6qxiQCVAgUQLm32FsDH/BbwDwQhAQFZ
 qwP/cSSBsmwz45rZ8HP5NhUWxCUG1ZMmavp42mnhObIv03b680ufNMxp8nvbgAXU
 WwCnHjmvdUZvzhLZs3g4xTyf6XXGddxVAzQZUEocreD92mzm9uJIi+uzMCcvu9Fm
 4Pgu9Tux3ndjVahVBLZEoNoZVdPZAsa+PmkCEX0GFXK+0fmJAJUCBRAubfXabKHQ
 hwZ57ZEBAYeaA/9aM5Oi5kaE9KjfVRwxSpyc2UWoEwXwNyabMVpp5HTqZjEnm/n+
 0gsB/hcLUWDS1/vGeeP3UfHrDzctPBXwzRs+lAthLuHi8t99MHovELXy3crXEiIo
 9jiUSXrYPca88OR+4dh4mt6FidgsxxZh9mFhMUL2IQwCFk8HpLVEC2Jfr4kAlQIF
 EC5q5ajjEe6i7yfncQEBrd0D/1gxSJXMa4MtQbsYL0/QpEo4yYCs1dQ/M/IqHTy7
 pfbPtVsVBmEyGL3Teu0F0RGC1e8odGEXQTVQazXbSrrbLXbG1v8uix3neCHfrAbi
 uGOzgDd/JrY7mjqWSxRpvHsdeSlb0SW/++7u8izosXRUuw6Ykp2l6GacQvbxTJpt
 kdSLtCR3aWV0c2UgdmVuZW1hIDx3aWV0c2VAcG9yY3VwaW5lLm9yZz6JARUDBRA1
 O5tPy8QyP8SpYiUBAa6RB/4t7WU5FsXq9TaAslIoYtwsbWkPFZSlY1nZkMpoGOmw
 dNzdc/MR5A8iC28E9LdZH+89VM1OnctR3MfKMqJoYBgFWmhxMo4VkDnBtMIZbMX+
 QnMnp9piwM8T4VbQV49YMj5jbLCr2NUep8JIvd733OGs27SDjU25dHmkKvLf8A1U
 BDGM9yKFL+OBJdLuzcTsddIUnLvysgiWAzB2MCriap1tgwYVgqB2DxztwayJusWY
 iyv89Av8y8etDZFlAqfGdX/77E/iyQGVUi0kuHSNqePgAGe7idg4rLV3Zd05cNt6
 CJ7s6LmOZI+iXA+8r890L+0VqRN4C/mNEQndtn9Bxv0tiQCVAwUQNNkG9NyA8qbV
 Mny5AQGhEwP9GSNPhi0X+W0E35V4Iu/bvanFmjfwklkQbJaDhBMddhDtrJVzbZEv
 e9AsQxEhK9me+Xql7ZQzOAjyM4c1aFO2+sq69H8z+e+pOkV/yWnRKIX9lVV4YJpK
 ZLUSjKnV2Tvqo9EKXpFwjptO/YU1PZFEqXe/i3iIRecSOLJLqKvN3Zs=
 =+cGX
 - -----END PGP PUBLIC KEY BLOCK-----
      _________________________________________________________________
    
    The CERT Coordination Center wishes to thank Wietse Venema for his
    assistance in resolving this problem and Roy Arends of CERT-NL for
    valuable input in constructing this advisory.
   
______________________________________________________________________
    
    This document is available from:
    http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html.
   
______________________________________________________________________
    
 CERT/CC Contact Information

    Email: cert@cert.org
           Phone: +1 412-268-7090 (24-hour hotline)
           Fax: +1 412-268-6989
           Postal address:
           CERT Coordination Center
           Software Engineering Institute
           Carnegie Mellon University
           Pittsburgh PA 15213-3890
           U.S.A.
           
    CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) /
EDT(GMT-4)
    Monday through Friday; they are on call for emergencies during other
    hours, on U.S. holidays, and on weekends.
    
 Using encryption

    We strongly urge you to encrypt sensitive information sent by email.
    Our public PGP key is available from
http://www.cert.org/CERT_PGP.key.
    If you prefer to use DES, please call the CERT hotline for more
    information.
    
 Getting security information

    CERT publications and other security information are available from
    our web site http://www.cert.org/.
    
    To be added to our mailing list for advisories and bulletins, send
    email to cert-advisory-request@cert.org and include SUBSCRIBE
    your-email-address in the subject of your message.
    
    Copyright 1998 Carnegie Mellon University.
    Conditions for use, disclaimers, and sponsorship information can be
    found in http://www.cert.org/legal_stuff.html.
    
    * CERT is registered in the U.S. Patent and Trademark Office
   
______________________________________________________________________
    
    NO WARRANTY
    Any material furnished by Carnegie Mellon University and the
Software
    Engineering Institute is furnished on an "as is" basis. Carnegie
    Mellon University makes no warranties of any kind, either expressed
or
    implied as to any matter including, but not limited to, warranty of
    fitness for a particular purpose or merchantability, exclusivity or
    results obtained from use of the material. Carnegie Mellon
University
    does not make any warranty of any kind with respect to freedom from
    patent, trademark, or copyright infringement.
      _________________________________________________________________
    
 Revision History

 -----BEGIN PGP SIGNATURE-----
 Version: 2.6.2

 iQCVAwUBNqfS1XVP+x0t4w7BAQEtXgQAjMvSXAYlEezp1yQ5sMex4+dYpeEgsBW6
 c57PBexeBDwXMR6sE14JDfoZl9wjuN2EZ1KCYoV4UvVk1uXjVli6Epa2D3SR68Xv
 WJr40X/LptEXQnzCmWstqxOmsqZkSkFWxUF+C4Qxm7jcbNe1qpAoam/VoPcMTtZb
 ln9e861vkxI=
 =Px6D
 -----END PGP SIGNATURE-----

                                                                              
Mail this story
                                                                              
Printer version


Return to today's headlines.

Comments from readers:   (Read all comments on one page.)

Post your comments using the form below. 

Your Name: 

Your Email Address:
                                   (Set cookie)
Subject:
                                 
Comments:
                                                      
       or  

[ Return to Today's Headlines | Top of Story ]

All times are recorded in CST.
Copyright © 1998 by Linux Today (webmaster@linuxtoday.com)
Linux is a trademark of Linus Torvalds.