Wietse Venema posts to
BUGTRAQ:
TCP Wrappers is a widely-used security tool to protect UNIX
systems against intrusion. In has an estimated installed base of
millions.
Today someone replaced the tcp wrapper source on ftp.win.tue.nl
by a backdoored version. Eventually this was bound to happen, and
that’s why the source file is accompanied by a PGP signature. But
that is no guarantee against people downloading and installing
backdoored software.
The backdoor gives access to a privileged shell when a client
connects from port 421.
The backdoored copy was downloaded 52 times between 07:16 MET
and 16:29 MET. I have informed the sites that downloaded a
copy.
Below are details on how to recognize the backdoored
version.
Relevant time stamp/size information (times relative to
MET):
Backdoored version:
% ls -lcta
-r--r--r-- 1 wswietse 99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz
...
dr-xr-sr-x 3 wswietse 4096 Apr 11 1998 .
Restored version:
% ls -lt tcp_wrappers_7.6.tar.gz
-r--r--r-- 1 wswietse 99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz
The signature of the bad TAR file is: length 99186 instead of
99438.
The signature of a compiled tcpd binary is:
strings -a tcpd | grep csh
any output probably means trouble.