ADVISORY NOTICE
PROBLEM: Some copies of wuarchive FTP daemon (ftpd) source have been modified and contain a Trojan horse. PLATFORM: UNIX machines running wuarchive ftpd version 2.2 or earlier. DAMAGE: Root access may be obtained. SOLUTION: Disable the wuarchive ftpd, then retrieve and install wuarchive ftpd version 2.3
VULNERABILITY Intruders have used this Trojan horse to obtain root access ASSESSMENT: to computers on the Internet.
CIAC has received information that some copies of the wuarchive FTP daemon (ftpd) versions 2.2 and 2.1f have been modified at the source code level to contain a Trojan horse. This Trojan allows any user, local or remote, to become root on the affected UNIX system.
CIAC strongly recommends that all sites running these or older versions of the wuarchive ftpd retrieve and install version 2.3. It is possible that versions previous to 2.2 and 2.1f contain the Trojan as well.
If the new version cannot be installed in a timely manner, all FTP service should be disabled, since this Trojan affects all systems that are running the wuarchive ftpd, whether or not the system provides anonymous ftp service.
Sites can obtain version 2.3 via anonymous FTP from ftp.uu.net, in the file /networking/ftp.wuarchive-ftpd/wu-ftpd-2.3.tar.Z. The BSD Checksum for this file is 24416 181, the SVR4 Checksum for this file is 30488 361, and the MD5 Digital Signature is e58adc5ce0b6eae34f3f2389e9dc9197.
For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov