---

WARNING – TCP Wrappers back door

Wietse Venema posts to
BUGTRAQ:

TCP Wrappers is a widely-used security tool to protect UNIX
systems against intrusion. In has an estimated installed base of
millions.

Today someone replaced the tcp wrapper source on ftp.win.tue.nl
by a backdoored version. Eventually this was bound to happen, and
that’s why the source file is accompanied by a PGP signature. But
that is no guarantee against people downloading and installing
backdoored software.

The backdoor gives access to a privileged shell when a client
connects from port 421.

The backdoored copy was downloaded 52 times between 07:16 MET
and 16:29 MET. I have informed the sites that downloaded a
copy.

Below are details on how to recognize the backdoored
version.

Relevant time stamp/size information (times relative to
MET):

Backdoored version:

    % ls -lcta
    -r--r--r--  1 wswietse    99186 Jan 21 07:16 tcp_wrappers_7.6.tar.gz
    ...
    dr-xr-sr-x  3 wswietse     4096 Apr 11  1998 .

Restored version:

    % ls -lt tcp_wrappers_7.6.tar.gz
    -r--r--r--  1 wswietse    99438 Jan 21 16:29 tcp_wrappers_7.6.tar.gz

The signature of the bad TAR file is: length 99186 instead of
99438.
The signature of a compiled tcpd binary is:

    strings -a tcpd | grep csh

any output probably means trouble.