Linux Today: Linux News On Internet Time.

More on LinuxToday

WARNING - TCP Wrappers back door

Jan 22, 1999, 00:05 (0 Talkback[s])

WEBINAR: On-demand Event

Replace Oracle with the NoSQL Engagement Database: Why and how leading companies are making the switch REGISTER >

Wietse Venema posts to BUGTRAQ:

TCP Wrappers is a widely-used security tool to protect UNIX systems against intrusion. In has an estimated installed base of millions.

Today someone replaced the tcp wrapper source on by a backdoored version. Eventually this was bound to happen, and that's why the source file is accompanied by a PGP signature. But that is no guarantee against people downloading and installing backdoored software.

The backdoor gives access to a privileged shell when a client connects from port 421.

The backdoored copy was downloaded 52 times between 07:16 MET and 16:29 MET. I have informed the sites that downloaded a copy.

Below are details on how to recognize the backdoored version.

Relevant time stamp/size information (times relative to MET):

Backdoored version:

    % ls -lcta
    -r--r--r--  1 wswietse    99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz
    dr-xr-sr-x  3 wswietse     4096 Apr 11  1998 .

Restored version:

    % ls -lt tcp_wrappers_7.6.tar.gz
    -r--r--r--  1 wswietse    99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz

The signature of the bad TAR file is: length 99186 instead of 99438.
The signature of a compiled tcpd binary is:

    strings -a tcpd | grep csh

any output probably means trouble.