Re: CERT Advisory - wuarchive ftpd Trojan Horse

Bonfield James (jkb@mrc-lmb.cam.ac.uk)
Mon, 11 Apr 94 8:58:51 EDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: der Mouse: "Re: /etc/utmp"
Previous message: Pat Myrto: "Re: Sendmail hole ?"
In reply to: Alastair Young: "Re: CERT Advisory - wuarchive ftpd Trojan Horse"

Alastair Young wrote:
>>I wish CERT would have posted more details though.
>>like how the trojan worked or where it was or what sites
>>contained copy of it.  how do i know the newest version
>>2.3 has no already been modified?
>>
>
>Check your source for the string '"NULL"' ie the word NULL in double quotes.
>We have an older version (2.1a) which appears to be clean.

Whilst I haven't checked this, I seem to remember hearing that the bug was to
allow ftp to root. In this case hopefully many sites would have been protected
by /etc/ftpusers.

I strongly suggest adding root (and other privilaged accounts) to this file if
you do not honestly need ftp access to them. This is of course true regardless
of whether or not this would have prevented the recent wuftpd attacks.

	James

--
James Bonfield (jkb@mrc-lmb.cam.ac.uk)   Tel: 0223 402499   Fax: 0223 412282
Medical Research Council - Laboratory of Molecular Biology,
Hills Road, Cambridge, CB2 2QH, England.

Next message: der Mouse: "Re: /etc/utmp"
Previous message: Pat Myrto: "Re: Sendmail hole ?"
In reply to: Alastair Young: "Re: CERT Advisory - wuarchive ftpd Trojan Horse"