[ SOURCE: http://www.secureroot.com/security/advisories/9640318896.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This message is a re-issue of CERT Advisory CA-99.01, originally issued on Thursday, January 21, 1999. We are re-issuing this advisory for several reasons: - The original advisory contained an error. Specifically, we incorrectly said that intruders could gain root access by connecting TO port 421. That is incorrect. The way the Trojan horse is designed, intruders can gain root access by connecting FROM port 421. Our thanks to Jochen Bauer of the Institute for Theoretical Physics at the University of Stuttgart for first identifying this error, - The author and maintainer of the program, Wietse Venema, has moved the official distribution site for TCP Wrappers to a different location, - We have provided checksums for individual files to aid sites in determining if they have authentic copies. CERT Advisory CA-99-01-Trojan-TCP-Wrappers Original issue date: January 21, 1999 Last Revised: January 22, 1998 _________________________________________________________________ The original release of this advisory contained an error. Please take note of the changes mentioned in the revision history section at the end of this file. _________________________________________________________________ Topic: Trojan horse version of TCP Wrappers _________________________________________________________________ The CERT Coordination Center has received confirmation that some copies of the source code for the TCP Wrappers tool (tcpd) were modified by an intruder and contain a Trojan horse. We strongly encourage sites running the TCP Wrappers tool to immediately verify the integrity of their distribution. _________________________________________________________________ I. Description TCP Wrappers is a tool commonly used on Unix systems to monitor and filter connections to network services. The CERT Coordination Center has received confirmation that some copies of the file tcp_wrappers_7.6.tar.gz have been modified by an intruder and contain a Trojan horse. This file contains the source code for TCP Wrappers version 7.6. This Trojan horse appears to have been made available on a number of FTP servers since Thursday, January 21, 1999 at 06:16:00 GMT. Copies downloaded prior to this time are not affected by this particular trojan horse. The Trojan horse version of TCP Wrappers provides root access to intruders initiating connections which have a source port of 421. Additionally, upon compilation, this Trojan horse version sends email to an external address. This email includes information identifying the site and the account that compiled the program. Specifically, the program sends information obtained from running the commands 'whoami' and 'uname -a'. II. Impact An intruder can gain unauthorized root access to any host running this Trojan horse version of TCP Wrappers. Note: If you have already installed a Trojan horse version of TCP Wrappers, intruders can identify your site using information contained in this advisory. Please read the "Solution" section and take appropriate action to protect your site as soon as possible. III. Solution We encourage sites who downloaded a copy of the TCP Wrapper after Thursday, January 21, 1999 at 06:16:00 GMT to verify the authenticity of their TCP Wrapper distribution, regardless of where it was obtained. You can use the following MD5 checksums to verify the integrity of your TCP Wrappers distribution: Correct version: tcp_wrappers_7.6.tar.gz MD5 = e6fa25f71226d090f34de3f6b122fb5a size = 99438 tcp_wrappers_7.6.tar MD5 = 5da85a422a30045a62da165404575d8e size = 360448 Trojan Horse version: tcp_wrappers_7.6.tar.gz MD5 = af7f76fb9960a95a1341c1777b48f1df size = 99186 Appendix A provides checksums for the individual files within the distribution. It is not sufficient to rely on the timestamps of the file when trying to determine whether or not you have a copy of the Trojan horse version. Additionally, the file tcp_wrappers_7.6.tar.gz is distributed with the detached PGP signature tcp_wrappers_7.6.tar.gz.sig. Wietse Venema is the author and maintainer of the TCP Wrappers distribution.You can verify the integrity and authenticity of your distribution with Wietse Venema's PGP public key. We have included a copy of his PGP public key below. Note that the Trojan horse version was not signed, and that Wietse Venema's PGP key was not compromised in any way. As a workaround, until you are able to verify your copies of TCP Wrappers, you can block inbound connections with a source port of 421 at your network perimeter. However, it is possible that some operating systems or software may use port 421 in legitimate connections. Thus, it is possible that some legitimate connections might be blocked. Where to Get TCP Wrappers Wietse Venema has moved the primary FTP archive for TCP Wrapper source to a different location. The primary archive is now located at ftp://ftp.porcupine.org/pub/security/ Sites that mirror the TCP Wrapper source code are encouraged to update their mirroring procedures. Wietse Venema expresses his gratitude to his former employer, Eindhoven University, for making possible the development and distribution of the TCP Wrapper software, and appreciates the support from system administrators of the department of mathematics and computing science. Additionally, we have verified that the distribution of TCP Wrappers offered by the CERT Coordination Center at ftp.cert.org was not involved in this activity. TCP Wrappers is available from our FTP site at ftp://ftp.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.6.tar.gz MD5 checksum: e6fa25f71226d090f34de3f6b122fb5a Wietse Venema's PGP Public Key - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6.2 mQCNAirDhV8AAAED/i4LrhQ/mwOgam8ZfQpEcxYoE9kru5oRDGtoVeKae/4bUver aGX7qVtskD6vwPwr2FF6JW2c+z2oY4JGPGUArORiigoT82/q6vqT0Wm1jIPsXQSB ZCkBoyvBcmXEi+J7eDBbWLPDxeDimgrORbAIQ4uikRafs8KlpNyA8qbVMny5AAUR tCV3aWV0c2UgdmVuZW1hIDx3aWV0c2VAd3p2Lndpbi50dWUubmw+iQEVAwUQNEfn hgyPsuGbHvEpAQExUAgAkAZTAVqzICTlVMggjsG9NghqC0FPqO2s9BQLXH3lQDdQ C2tOx1CYvL3pB8X77alh18/HnUd6PNkloHC2fqNo5eNyuVDeUpvW+mz6IRlndnJU kLVx/Kzu+h3TooWlX/BSc+k0XsQJ7mpP4QeWvoHll50rBPVLYnv4ODbZh0z5jYfr Yq2n/05vi5nRdz2gXqRRIorfD46a5n+gQNAvrwhKMRZeyqEfOCtQ+UjMH7tyGG0N +suzNQtBjypEZkB8OFEQB1Q3RatQlWx55JOfmcba0JBY9umOuNoDPldvIgMbExRP 5tN+qOjsHbm723S1kybyQKEbQgx3pDA3xiz9SBFqjYkBFQMFEDRH59NGYudYIBG4 eQEB3XMH/RXG4wFjy32JDJPaVmS14Ax53VGOBUDLZo9Uv8lG3uTIe886lLeDqWA2 fHyyUFwUBC917NR0D9HCTAAQ5PZYO7kOV5JMSLWoxyLYRimHcUnhfBJ9XthVvjvH NuItWWXVLND0UjTkmHJSCtTxcM6Yo7NuisIJOYcnRameWK105FPb9i3ATaEejM8C NPfgiHp9Krv5EVfAHJ+gBy/q4kKqQYFZgdbogVS5aKQJiO5imGEtxGl7qSxfC1WJ TmrauU/8CbBQM6MvifnIep+LI+IBLwDFSByZDPR5dakjeCGMnNtj2XYEu0mWtz/5 DHOIDGz9whNF1DBUBbHM3BEuUai87eWJAD8DBRA0R+e9YVgWxTrOVf4RAtpXAKDK jQQ4a7pxrgLA63H4XHhfCNC9PACghwiSLYqPdnsyMM+LN/I3su2zF7OJAJUDBRA0 R+f8d6a8PicAdv0BAXNeBACgGcN9znLn0yHysY852uUntwMS9CAlTdSLkiRaf1gM sV+VQipFvSzS+rmg/DtiWDJ46Z5ffJe6rMnIn59yGgmkelj6hTDi3eGcarGnIFQJ PG61JmfdTxtyQ5lY5zpNoBnKwVHCYBoMvpvoe0axVhQm23+j/qll44jcnORmqcYD YIkAPwMFEDRH56iWgad8PVLgfxECrc8An2xiSfGbEsocbX5eOUkTc6jYiRwCAKDC FIaSRaNnmB3sHPaj0TnaGri6h4kAlQMFEDRgoatWKpzSj2i9yQEBKQkD/0Znfn9u jEPIpUpPLO1HvFX16IMx+JXYQcFakporAmvNzw28a351cWNQOTSr0ZS+8G6YNXEQ WUeI2NE96gIpUmb6m2XNJ5ucdLRG2PsSwwcYtuipRXaR3aHrLwPRDEdlo0ifC+Bm mV80LrTsnCfR1XvuCGcFkA//BNnXYJnjM36EiQEVAwUQNEUD2zw9PaeQSTXpAQGX gQgAhlqfuv/aWGeP9Qgdtlq688sP9fADmwzQdQ98lbOL184eW7Or+Dunynh89Sn0 yC90AfwiI3/E75YIZJA4x6qjMan+3p8mNw8WtkUWYZOQ/A91tXQflo/EFqliR4mx HKmWqubsXzIL6fW3vxC/gQnlNKE3Rx53vwxMMK8u3LFDdLQu0OpXOkmAa4qZh+Pi DXa77DPYToHcxXeOIvAm+mSqxuBK9URKlGDq4snS3XnlmfdySz2oEsFPN5MUOvQV gyeHl7aRysa/C8d7tq+FLWN8fQcLpn/3hXHUygdW4KogGVUDFMpckLv1E161AT84 R+fK9ztWoi85CSkFwCESiO8vj4kAlQIFEDBqt5TZp9pcfgqygQEBWvYEAK7oHPhv 4ChPzquWue9maG22iOBO+mJJ6ReKriydzcUUzwwLAEDnzN7TJaWBj7f/M6anrTqT UxJWcm5R3BzSPecLmM9FN1B+zsJjhqA/BbTjfr7lDuWzplLI55SlezHrSD2Zdh7f NZp6LjoLWhApUCtwY5JqofYEVutSHLjKnKwAiQEVAwUQMQ6i0ee7tRpdDUB5AQGA Hgf+MXxcTTo73zq7Iy3n23JjkRYuGRScRyxHPrM4CvCfpxGZ0KqXFydkGjaV2NxW BUdjZzzrXqExTv/w6l/b/TG5WDqOSkSmmIYYc1c1oaKvbPpwimkzREK9QZABibK8 OA+TN8E2Or7v8/DuwWRVfDdmhblf98PH29wAYvNAwGlftnzfsdOILTxHySZ0724Q YWDHM876sJ7lvzZ1sPUkv61blq1etB0VrRUJ0YewaqhP/Jmn45ldHRdxjzN8yrzq u4rzrHx1LJb6j/mHSH7soEwEKpHRCtZNY+PtLcKheFxiFweu8OAMsm574wmybEGr 2EICSA0p4I6UswT0Rcn7Oba/1YkAlQMFEDEOojNOQewbPzG6VQEBXkoEAIoRVBm5 /LmOiOyeB+968KyOPVxCXHZqKePwjt32sz/ozKQUfjvxGE1x2G9gAdSFlfI3qjL3 Iw8MPYspX10nUYbtvcT4QBci6vd/gAut6d1pwl/Rz/ui0HqbjvBxEzLFKNm3ssIp /FeNyBBO8KZFd+h4Yqc4TqkjiYOnR6CcatI6iQCVAwUQMHjnn+Tyai8iNKttAQHS IQP+L5lquZYfWQfcYjS+NTTCXC8fSolynnsJfy589knPeQOjxKPv9IdU0bXXzRPh wXoCftxm08/qrFEzRmLJX8Nbs4VVcJHt1VnoIo+Fu0ASn6JV0f0HiDhPWCJerBYl wrqTYoPEC8hWGQr93ARda4O83KZ6QQqBFXuKgYHxvHnTTMGJAJUDBRAwc68SAk+E axRt4o0BAZSCA/9bYDgwudU+uFf2/e2GAUT1gxTHhSPgSKlg8Ca8p6AJeaqB3YvJ wBgFaqYNNOm0XGl4K2uWXJURTA8rboS+UrN7+besnbLpUZ3WnxIWPMhU0eK4x67M SH2tSrtz0fZtnOpIkZ0FvPMC/W4yidnGgwT3hxbHjznFH7FE3GYOvWyM/okAlQMF EDBvvvQx/7eDRBO2kQEBBZwD/jlqZbO1LjpueWSMijLF3ntCm617IcEfG6xz0oRM M2GEBtgtIIrv5YaTLy8jYPyu5edvvyc/sfcuFBw33wzxThuCfUIqzS/TwjgqSoaT L1+Rl3h4g+VTSteSWg/+fCfAp5T50DH1Uq3JqiV9lzwdgTK5uMvYmwG8ZHln6ju2 F2E4iQCVAwUQMGqp+hrbNNwC+IyBAQHKggQAtoLHXDwYB2aPM4W3VGdBkT4jm8o1 XgvqaFv/X+7xZKF9UgWRPRFqF88WeZRA2mZb/DxrmuckFsvqhJuvjEvKbr93QYuX dZG/e7am71WXLBKSPnvsoJY51eT7XrDI6hmqvWcYbngHpHzY+ZB6N9h7qcGw1zRw t4/Kxbp6nxlFAeqJAJUDBRAwal9L6CVK4w9Ml3UBAY4sBADTn9fOYlwC7iVJVd/z GMZyW5gvif9PKw+Grfn8S02x9i1OlqX1cgxJkMWoXpQCilQ4jyStv3LekhJ2Btp5 kUCiColOZO4NOb7n0Iuwsnx1TkLl75RWZKDc+7gxA5PxCnzFE+y8O6i4pSuzzhpF qz4cEnRQ4D+Klrqu+3p43rfETYkAlQIFEDBoJ+kiUZbZZm0AUQEBpNkD/jEfKwJV xoFTakdUkIyprrZg3uYBTbhwf0rSynUVjm+X3KCbKROEyx6GskzH09D0LT+gTi9z Z9RrzXv1/yeO/6wte1WZT+vNLhvGrO4yniYm+Os5zSa+5aW/fyHilE02ZNk20r+H hY6aOmZQ8UXGv+U5ryg48UuGfe920UndQiuYiQCVAwUQMGnKYLnzJzdsy3QZAQGz lAQAuIRJhf8sAkuy3PeT9UuXvt1uUHwTiEkrDdbFnBQOfmkVxcQOP82gzgWYk5ii wlTmgT4euodekIzMrMIxqQsqyhvwxxbtD+k3aHFtocrvRUTShO51g8fiQcN7CTbE eTa3azUpMbiOWnvFTOKqfgAGn039smgkFIojywX7NdE+g+GJAJUDBRAwacpBYmX6 SAdWdFUBAT1dBACeuV567rcGe4rE3Bjl629lWr57C9NtHOfKh63KT1xUHM6f0elq IfMWBCXTNAmS/rpQ7bjg7+WbWYYct2YKSizpP9/eyFq0Ax2cFzCBi8c2DdUuszEy PdvX6ZSvXMkR5Z90bLbeH26yzacnyF1MdD0wtAqdtOcs6xHCrfyKl/7CmIkAlQMF EDBpx1AEJn15jgpJ0QEBCUcD/0gEX5BCjysfVNjRHLibxwv46aqFGf4FED/ZyJEb jC6szt0q2jzOGZUhMsyYNqmoCSdj2mGDd2AG01HxJRqVpkvaMv5O4XYOvC9oQTwv 8+5EV0Be2HZ+Jfl9Xpyl7TG+3ClQXpUH21C5suiWOTEsexq7a3YvdULELqtlQpBo pianiQCVAwUQMGf966NsRd57vOpJAQF8ngP9GTFx5J+57n9SsISC/32GleMy0g3l HJTrjtWnxIOt28DTXI9VxOmaRIh002PJG8d2esFq17DXxJf60M43s14F/6ct/PmB 2psgIayaW+1Mj1FtBAUr4cKsfGZytcKqrHoMvSp7rZHhfgVy/xLMKKCmm+c7xdYJ Sgbicrpwq1IBuDGJAJUDBRAwZ/wvO3/HvM52ax8BAR+WA/47Zw6LyUQHR0HqikBZ mu1vTfgG6seat/93V8z2kA80f++FbKisJwzqxUzJ27ERFAgOdbTPGWwuCeWkszd7 TSBVzfoAosU//H1cbIULmD9jv7DLh6lQx+RUEdlD7zkUiVkmhU234AjnzWx1dfLi g5iJomAE1qLskvbi1k5TRI3St4kAlQMFEDBmoqxYl6t82lyyQQEBekIEANKfx56q zeVCa9eIic4j2FXpJC5nYUOcdShPkhKWpDZMxNHT5S/gyqZFtgMvqbqKcDsxmtsF jpHJr7QX1lKBYTAzGUtSPOgb2BiJbHwHfK3GH6TfKqNHt9rYERvBbaekyEEBS8Ds Vcw1ZTgi/gIBSN83NkLJuc09i/nHg939hdr3iQB1AgUQL8wq2mgPK9CjLmKhAQFv 1AL/bL+vtlG61Dtmu8/kv5HkPiOVqfiomUYI1OfF0amJUNKgBadhdbJ40QGMuhhX HlWyb4/MnSt4aujnwA8sKhtRKtJHKvjjLf+LTmdMol2wnoK072lLpFumX7aJ3pS1 4aUgiQCVAwUQL4l3ERPcEwSgd4ahAQFt+gP/Zsee/uKXvtMxG5DSCgKpnU9p9QGV 4gnP9bCydQ+brmepEuMSuj9c/VFzHlYLXpJs9ZhfCbjNuuVRyjQIVj3Jbq9s4Xwy hxc+Q0xglMUhjm18ycJ8PPgkx4e8FdzcSuZfaFI6hH0Er7Jeh/8HOyrKSlsqrGZO y0HGAuKOWQKP+ZCJAJUDBRAviBbrym8rg/wMAtUBAaEvA/0ZlxCa1Ka/6BQMxaMz +xdbDPdcbcntpcyuERm2FMY5a2bOr1j4Rpic3zc1+Q9N6ZQA5FJOpWvHB0xXUw5b No6aG1VAHrmV51jmIUYVJy+DTmXZela9nGHfiM33RvdttDsvox6HTe/teo+fzP3s 6MQaWScLDx33RezVTmVSBk22WYkAlQMFEC99GmfcgPKm1TJ8uQEBJzsD+waYQmJK G0btGU0+GUTg+bRMSfCGwb9p9vbwnXQIPlQrsF8Bozm8IyFGWxsfKT8dRljqmAEw KLhaFgYdFrnliuYfmVMw+nSpdpTDVE0N4d7hd8mTN+WCvY0g6x9rv1uBPKK6lPgW oZHskbzNLwiDXZ5vPKdoSCCIi3aQkCQd+6qxiQCVAgUQLm32FsDH/BbwDwQhAQFZ qwP/cSSBsmwz45rZ8HP5NhUWxCUG1ZMmavp42mnhObIv03b680ufNMxp8nvbgAXU WwCnHjmvdUZvzhLZs3g4xTyf6XXGddxVAzQZUEocreD92mzm9uJIi+uzMCcvu9Fm 4Pgu9Tux3ndjVahVBLZEoNoZVdPZAsa+PmkCEX0GFXK+0fmJAJUCBRAubfXabKHQ hwZ57ZEBAYeaA/9aM5Oi5kaE9KjfVRwxSpyc2UWoEwXwNyabMVpp5HTqZjEnm/n+ 0gsB/hcLUWDS1/vGeeP3UfHrDzctPBXwzRs+lAthLuHi8t99MHovELXy3crXEiIo 9jiUSXrYPca88OR+4dh4mt6FidgsxxZh9mFhMUL2IQwCFk8HpLVEC2Jfr4kAlQIF EC5q5ajjEe6i7yfncQEBrd0D/1gxSJXMa4MtQbsYL0/QpEo4yYCs1dQ/M/IqHTy7 pfbPtVsVBmEyGL3Teu0F0RGC1e8odGEXQTVQazXbSrrbLXbG1v8uix3neCHfrAbi uGOzgDd/JrY7mjqWSxRpvHsdeSlb0SW/++7u8izosXRUuw6Ykp2l6GacQvbxTJpt kdSLtCR3aWV0c2UgdmVuZW1hIDx3aWV0c2VAcG9yY3VwaW5lLm9yZz6JARUDBRA1 O5tPy8QyP8SpYiUBAa6RB/4t7WU5FsXq9TaAslIoYtwsbWkPFZSlY1nZkMpoGOmw dNzdc/MR5A8iC28E9LdZH+89VM1OnctR3MfKMqJoYBgFWmhxMo4VkDnBtMIZbMX+ QnMnp9piwM8T4VbQV49YMj5jbLCr2NUep8JIvd733OGs27SDjU25dHmkKvLf8A1U BDGM9yKFL+OBJdLuzcTsddIUnLvysgiWAzB2MCriap1tgwYVgqB2DxztwayJusWY iyv89Av8y8etDZFlAqfGdX/77E/iyQGVUi0kuHSNqePgAGe7idg4rLV3Zd05cNt6 CJ7s6LmOZI+iXA+8r890L+0VqRN4C/mNEQndtn9Bxv0tiQCVAwUQNNkG9NyA8qbV Mny5AQGhEwP9GSNPhi0X+W0E35V4Iu/bvanFmjfwklkQbJaDhBMddhDtrJVzbZEv e9AsQxEhK9me+Xql7ZQzOAjyM4c1aFO2+sq69H8z+e+pOkV/yWnRKIX9lVV4YJpK ZLUSjKnV2Tvqo9EKXpFwjptO/YU1PZFEqXe/i3iIRecSOLJLqKvN3Zs= =+cGX - -----END PGP PUBLIC KEY BLOCK----- _________________________________________________________________ Appendix A - Checksums This appendix provides checksums for the individual files within the TCP Wrappers distribution. MD5 (BLURB) = 627fc45308e852c446c3606647fa8c34 MD5 (Banners.Makefile) = e53315d5713278df908248602b129955 MD5 (CHANGES) = ff08c72b8c9c8d56ba9bf3e90d477639 MD5 (DISCLAIMER) = 071bd69cb78b18888ea5e3da5c3127fa MD5 (Makefile) = 0037774577650534f898949d892144ec MD5 (README) = 2452fb4f9d06500ec0634d7b64aaf76b MD5 (README.IRIX) = 36603b049d5f89a26a300825c3021310 MD5 (README.NIS) = 147a07f2d3e673121dec4975849994e8 MD5 (clean_exit.c) = 1bac137fdc9c151351c0b33c9026421f MD5 (diag.c) = 8f3d561785f3314a35a9de09d11ccdaa MD5 (environ.c) = 9fa4c0f2fff89d00a4b1283730eab739 MD5 (eval.c) = b4fbd49308d5a8f77315167a4ee10339 MD5 (fakelog.c) = b329ab5443158e4c79f55710f9a675d0 MD5 (fix_options.c) = 99f3cb7841d8bf941bf6750fd7a96df1 MD5 (fromhost.c) = d880bab3c12c4109e95cdd69470e4ea3 MD5 (hosts_access.3) = 7993a6a2a27f729254bf29c13f48e9ab MD5 (hosts_access.5) = 67085bc60fb9cbb70be7cb6490002923 MD5 (hosts_access.c) = cec0cba4a2df178e8857510704cc38f3 MD5 (hosts_ctl.c) = edad608818ee499ad0497dbabad43227 MD5 (hosts_options.5) = c4920a00f777844c6e8136e52e260264 MD5 (inetcf.c) = 02ccca613950bfe18706d0c39cbca9ea MD5 (inetcf.h) = 2a7ac52919ccece4946943067455b1d8 MD5 (misc.c) = b74358d00ad758286a44c933fee4eda2 MD5 (miscd.c) = 720b62d42e8162cb7b696002e56ece6e MD5 (mystdarg.h) = ce79d3c00d2ad46db810610c573bce2a MD5 (myvsyslog.c) = 619fd9232e456e8ab75625f25dd58952 MD5 (ncr.c) = dc5262ae64eb1e3305bcfdc00e8fb9c9 MD5 (options.c) = 8b27d55628eb2b666b27f015ee2182b0 MD5 (patchlevel.h) = 92e06ff46922390163fdb46af95894f4 MD5 (percent_m.c) = 721472d1cc7cc8d4960d800057ed8ec1 MD5 (percent_x.c) = a406be699b48a19fb741fe8f31732698 MD5 (printf.ck) = 7dafed0315ad74bc7a28e7d747f29819 MD5 (ptx.c) = 9ab79f1b51877bbeeac82db794b25ad9 MD5 (refuse.c) = 5f2c0874378f640a86897f5531616dc7 MD5 (rfc931.c) = e629b1f5cfdc97dc43301ed1186f7c37 MD5 (safe_finger.c) = 7e4a788b375b7b05a60d24cd0c83b0b3 MD5 (scaffold.c) = ce9473ec933a5478d3522a15223c48c2 MD5 (scaffold.h) = 6b9d803d78ec0a6946f329d5a9856b53 MD5 (setenv.c) = 44209db39c4d3a173d2933b04f67320e MD5 (shell_cmd.c) = 57b7371b951329db7b5f699e99798164 MD5 (socket.c) = 00f0890b1bc3e453ce44ccd64223b0c5 MD5 (strcasecmp.c) = 1e72db28013fc87fedcdbc155d8ba7fa MD5 (tcpd.8) = eaee4abbff9c2853b4e5122ec1fb7a1b MD5 (tcpd.c) = a8255a587f31a38b4a7485a5c8d904a3 MD5 (tcpd.h) = 076cf6456199450a4b81aec77165c716 MD5 (tcpdchk.8) = ed7b220f6ac7906ae326ac8fa3d04a11 MD5 (tcpdchk.c) = fe8a07ff2642e8b55922e6be510b9ed3 MD5 (tcpdmatch.8) = 85bc0335c865954ca534c9a17c666b53 MD5 (tcpdmatch.c) = 8af6daf4a1e9d9935956f1d31e54ab4f MD5 (tli-sequent.c) = 6266612530ec81b4c3f90cbe34fcd108 MD5 (tli-sequent.h) = 9e8d21063e9157e7c2a4e9e3e3281e8b MD5 (tli.c) = 7efc6e3c9915d6e8ca762342b540573d MD5 (try-from.c) = c6a00f028c9578a881018b505857a05d MD5 (update.c) = 77c218e0e6366d2327f52068f863d12b MD5 (vfprintf.c) = 332dc8be89d5a59abc3036b490ba07d0 MD5 (workarounds.c) = d1e7b5abf95067313b7668d8c10a2c5c _________________________________________________________________ The CERT Coordination Center wishes to thank Wietse Venema for his assistance in resolving this problem and Roy Arends of CERT-NL for valuable input in constructing this advisory. Additionally, we would like to thank Jochen Bauer of the Institute for Theoretical Physics at the University of Stuttgart for identifying an error in an earlier version of this advisory. Wietse Venema expresses his appreciation to Andrew Brown of Crossbar Security, Inc. for noticing that the TCP Wrapper source code had been tampered with, and for informing the author of the incident. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-99-01-Trojan-TCP-Wrappers.html. ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key. If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/. To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html. * CERT is registered in the U.S. Patent and Trademark Office ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Revision History Fri January 22, 1999 Modified to reflect that the Trojan horse provides root access to intruders initiating connections from source port of 421 as opposed to a destination port of 421. Added section indicating that the primary FTP archive for TCP Wrapper source has changed. Added an MD5 checksum and size for the correct version of the file tcp_wrappers_7.6.tar. Added MD5 checksums for individual files within the TCP Wrapper distribution. -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOBTB5Fr9kb5qlZHQEQI1xgCffFcKPdmf2deGOCfDHXGI1YnyOasAn0Hv qMeA+9db/kPtveYDCdcAGpkG =NBf3 -----END PGP SIGNATURE-----