Pessoal,
Quem usa o sendmail atual pode estar com a m�quina infectada.
Segue partes da mensagem original abaixo.
These files began to appear in downloads from the FTP server
ftp.sendmail.org on or around September 28, 2002. The Sendmail
development team disabled the compromised FTP server on October 6,
2002 at approximately 22:15 PDT. It does not appear that copies
downloaded via HTTP contained the Trojan horse; however, the CERT/CC
encourages users who may have downloaded the source code via HTTP
during this time period to take the steps outlined in the Solution
section as a precautionary measure.
The Trojan horse versions of Sendmail contain malicious code that is
run during the process of building the software. This code forks a
process that connects to a fixed remote server on 6667/tcp. This
forked process allows the intruder to open a shell running in the
context of the user who built the Sendmail software. There is no
evidence that the process is persistent after a reboot of the
compromised system. However, a subsequent build of the Trojan horse
Sendmail package will re-establish the backdoor process.
II. Impact
An intruder operating from the remote address specified in the
malicious code can gain unauthorized remote access to any host that
compiled a version of Sendmail from this Trojan horse version of the
source code. The level of access would be that of the user who
compiled the source code.
It is important to understand that the compromise is to the system
that is used to build the Sendmail software and not to the systems
that run the Sendmail daemon. Because the compromised system creates a
tunnel to the intruder-controlled system, the intruder may have a path
through network access controls.
III. Solution
Obtain an authentic version Sendmail
The primary distribution site for Sendmail is
http://www.sendmail.org/
Sites that mirror the Sendmail source code are encouraged to verify
the integrity of their sources.
Verify software authenticity
We strongly encourage sites that recently downloaded a copy of the
Sendmail distribution to verify the authenticity of their
distribution, regardless of where it was obtained. Furthermore, we
encourage users to inspect any and all software that may have been
downloaded from the compromised site. Note that it is not sufficient
to rely on the timestamps or sizes of the file when trying to
determine whether or not you have a copy of the Trojan horse version.
Verify PGP signatures
The Sendmail source distribution is cryptographically signed with the
following PGP key:
pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002
<[EMAIL PROTECTED]>
Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45
The Trojan horse copy did not include an updated PGP signature, so
attempts to verify its integrity would have failed. The sendmail.org
staff has verified that the Trojan horse copies did indeed fail PGP
signature checks.
Verify MD5 checksums
In the absence of PGP, you can use the following MD5 checksums to
verify the integrity of your Sendmail source code distribution:
Correct versions:
73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz
cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z
8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig
As a matter of good security practice, the CERT/CC encourages users to
verify, whenever possible, the integrity of downloaded software. For
more information, see
http://www.cert.org/incident_notes/IN-2001-06.html
Ricardo Guedes (Manaus)
Assinantes em 09/10/2002: 2259
Mensagens recebidas desde 07/01/1999: 186120
Historico e [des]cadastramento: http://linux-br.conectiva.com.br
Assuntos administrativos e problemas com a lista:
mailto:[EMAIL PROTECTED]
