An enterprising computer enthusiast has managed to insert a Trojan in the source code for a recent Sendmail distro and to substitute the malicious package for the real McCoy on the Sendmail.org FTP server.

The malicious files were available from 28 September 2002 until 6 October 2002. The affected files, with their correct checksums are: 73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z 8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig

According to a recent CERT advisory, it is believed that the Trojan is de-activated when the system is restarted. It is also believed that users who downloaded from the sendmail.org HTTP server are not affected. Files on all mirror FTP and HTTP servers should be presumed infected.

The Trojan is activated at build time and functions with the privileges of the user building it, and apparently connects to an IRC server. The malicious code "forks a process that connects to a fixed remote server on 6667/TCP. This forked process allows the intruder to open a shell running in the context of the user who built the Sendmail software," CERT says.

One quick and dirty workaround would be to re-boot the affected machine (if that's convenient) for a little breathing space while the damage is assessed and/or blocking egress to port 6667. The packages available now at Sendmail.org are clean, but verifying the checksums still isn't a bad idea. Not that it ever was. ®

Full article and source:

The Register