Internet security experts issued a warning Wednesday that some copies of the
source code for Sendmail have been
hacked by an intruder and now contain a Trojan horse.
In an advisory,
the Computer Emergency Response Team (CERT) Coordination Center said the
Trojan horse versions of Sendmail contain malicious code that is run during
the process of building the popular software.
CERT said the files sendmail.8.12.6.tar.Z and
sendmail.8.12.6.tar.gz were modified to include the malicious code
and issued a warning to sites that employ, redistribute, or mirror the
Sendmail package to “immediately verify the integrity of their
distribution.”
The Trojan would let an intruder operating from the remote address specified
in the malicious code gain unauthorized remote access to any host that
compiled a version of Sendmail from this Trojan horse version of the source
code, the group said. “The level of access would be that of the user who
compiled the source code.”
“It is important to understand that the compromise is to the system that is
used to build the Sendmail software and not to the systems that run the
Sendmail daemon. Because the compromised system creates a tunnel to the
intruder-controlled system, the intruder may have a path through network
access controls,” CERT added.
The Sendmail Consortium, which serves as a resource for the freeware version
of Sendmail, confirmed the hack. “If you download the Sendmail distribution
you MUST verify the PGP signature. Do NOT use Sendmail without verifying the
integrity of the source code,” the Consortium said.
Because of the attack, the Consortium’s FTP server was unavailable Wednesday
morning but legitimate copies of the source were available via HTTP.
CERT said the malicious code that was added to the Sendmail source forks a
process that connects to a fixed remote server on 6667/tcp. “This forked
process allows the intruder to open a shell running in the context of the
user who built the Sendmail software,” the outfit warned.
It said there was no evidence to suggest the process is persistent after a
reboot of the compromised system. “However, a subsequent build of the
Trojan horse Sendmail package will re-establish the backdoor process,” CERT
added.
The compromised files began to appear in Sendmail downloads on or around
September 28, 2002, CERT said, noting that the Sendmail development team
disabled the compromised FTP server on October 6.
“It does not appear that copies downloaded via HTTP contained the Trojan
horse; however, the CERT/CC encourages users who may have downloaded the
source code via HTTP during this time period to make the necessary
verifications.
Sendmail, which is freely distributed, is by far the most popular MTA
(message transport agent) on the Internet.