Re: util-linux compromised

Richard Gooch (rgooch@atnf.csiro.au)
Mon, 25 Jan 1999 15:16:13 +1100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Alex Buell: "Re: DDD locked up kernel :o("
Previous message: Linus Torvalds: "Re: MM deadlock [was: Re: arca-vm-8...]"
In reply to: Tim Waugh: "Re: Printing with spooler does not work in pre8 and pre9"

Andries Brouwer writes:
> I just received the following letter:
>
> Date: Sun, 24 Jan 1999 04:01:55 -0500 (EST)
> From: John Stange <building@cs.umd.edu>
> Subject: util-linux compromised?
>
> I grabbed util-linux-2.9g yesterday from win.tue.nl, and discovered a
> section of login.c that appears to send the host and uid of the user to a
> hotmail address. I imagine this isn't a standard feature. :> Given that
> the tcp wrappers archive was backdoored on that same server recently, you
> might want to comb over the rest of your stuff as well, if any of it's
> yours.
>
> -- John Stange
> Staff World, 4120 AVW
> x52720
>
> and indeed, util-linux-2.9g had been replaced by a trojan version.
> Unfortunately this means that everything from ftp.win.tue.nl
> must be regarded as suspect for the moment.
>
> I put a correct util-linux-2.9g.tar.gz back, with md5sum
> ab409a6ac5a775a4b04b8e27f6c86933 util-linux-2.9g.tar.gz
> but of course, for the time being, nothing on this machine can be trusted.

FYI: I grabbed util-linux-2.9g at 22:00 UT, 23-DEC-1998 and it has no
sign of this trojan. In fact, the md5sum is the same as the one you
mentioned above.

Regards,

Richard....

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Alex Buell: "Re: DDD locked up kernel :o("
Previous message: Linus Torvalds: "Re: MM deadlock [was: Re: arca-vm-8...]"
In reply to: Tim Waugh: "Re: Printing with spooler does not work in pre8 and pre9"