Alastair Young wrote: >>I wish CERT would have posted more details though. >>like how the trojan worked or where it was or what sites >>contained copy of it. how do i know the newest version >>2.3 has no already been modified? >> > >Check your source for the string '"NULL"' ie the word NULL in double quotes. >We have an older version (2.1a) which appears to be clean. Whilst I haven't checked this, I seem to remember hearing that the bug was to allow ftp to root. In this case hopefully many sites would have been protected by /etc/ftpusers. I strongly suggest adding root (and other privilaged accounts) to this file if you do not honestly need ftp access to them. This is of course true regardless of whether or not this would have prevented the recent wuftpd attacks. James -- James Bonfield (jkb@mrc-lmb.cam.ac.uk) Tel: 0223 402499 Fax: 0223 412282 Medical Research Council - Laboratory of Molecular Biology, Hills Road, Cambridge, CB2 2QH, England.