WARNING - TCP Wrappers back doorJan 22, 1999, 00:05 (0 Talkback[s])
Wietse Venema posts to BUGTRAQ:
TCP Wrappers is a widely-used security tool to protect UNIX systems against intrusion. In has an estimated installed base of millions.
Today someone replaced the tcp wrapper source on ftp.win.tue.nl by a backdoored version. Eventually this was bound to happen, and that's why the source file is accompanied by a PGP signature. But that is no guarantee against people downloading and installing backdoored software.
The backdoor gives access to a privileged shell when a client connects from port 421.
The backdoored copy was downloaded 52 times between 07:16 MET and 16:29 MET. I have informed the sites that downloaded a copy.
Below are details on how to recognize the backdoored version.
Relevant time stamp/size information (times relative to MET):
% ls -lcta -r--r--r-- 1 wswietse 99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz ... dr-xr-sr-x 3 wswietse 4096 Apr 11 1998 . Restored version: % ls -lt tcp_wrappers_7.6.tar.gz -r--r--r-- 1 wswietse 99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz
The signature of the bad TAR file is: length 99186 instead of
strings -a tcpd | grep csh
any output probably means trouble.