Got this article in my email today from TechRepublic... Gee, is nothing sacred?
THE REAL THREAT OF TROJANED OPEN SOURCE SOFTWARE
Sendmail, which many consider the de facto UNIX mail server software,
was recently a victim of a Trojan horse. Investigations are still ongoing,
but it appears that the main FTP site for the Sendmail 8.12.6 source code
distribution was compromised in late September 2002.
What's interesting is that the Trojan program launches when Sendmail is
compiled from source code, running with the same privileges as the user
compiling Sendmail. So, Sendmail itself doesn't appear to be compromised,
and simply rebooting stops the Trojan's process. If you've downloaded the
Sendmail 8.12.6 code, make sure that it's the authentic version before
compiling it. Better yet, delete it and grab a fresh copy from Sendmail's
Web site in order to verify that it's genuine.
http://www.sendmail.org/ This Sendmail incident raises questions that may never have suitable
answers, including how the intruders got access to the FTP server in the
first place. Now I'm wondering how many other open source software packages
will be tampered with (or already have been).
A few months before the Sendmail exploit, an almost identical incident
occurred with several versions of the OpenSSH source code distribution.
The Trojan looks very similar, being launched and connecting to a fixed
server using TCP port 6667 during the compile process. It's quite likely
that the same person or people are responsible for both incidents, which
involved the main FTP sites for the affected software. So, if you downloaded
and compiled OpenSSH version 3.2.2, 3.4, or 3.4p1 from the source, you
should probably fetch a new copy, since the mirror FTP sites for OpenSSH
copied the Trojaned versions.
If you're the kind of person who downloads and compiles your own open
source software, chances are you know how to verify the source distribution
for your software. I admit that I often overlook this step, but I
certainly won't skip it from now on. I already don't compile most open source
software as the "root" user, because "root" can do anything on a UNIX
system, including wipe it out. It usually isn't wise to regularly use a UNIX
machine as the "root" user anyway. Anyhow, make sudo part of your UNIX
security toolbox if it isn't already.
http://www.courtesan.com/sudo Trojaned copies of compiled and source code distributions of software
aren't new, but Trojans in two popular open source packages in six months
is probably some sort of record. Luckily, both incidents were quickly
discovered, resolved, and information was released. The insidious nature of
these two incidents highlights the need to verify the authenticity of any
software you download and install, whether you compile it or not.
Most people have no way of knowing whether source code is authentic or
if it has been compromised. So make sure that you always verify the PGP
signature or MD5 checksum on any open source package you use. Modern
package management tools for UNIX such as RPM (which is used on many Linux
distributions) simplify this process tremendously. I suspect that there will
be more reports of compromised open source distributions--the latest two
are only the beginning.
Visit the CERT site for more details about the recent Trojan horse
incident.
[cert advisories link] Jonathan Yarden is the senior UNIX system administrator, network
security manager, and senior software architect for a regional ISP.