CERT: Sendmail Hacked
In an advisory, the Computer Emergency Response Team (CERT) Coordination Center said the Trojan horse versions of Sendmail contain malicious code that is run during the process of building the popular software.
CERT said the files sendmail.8.12.6.tar.Z and sendmail.8.12.6.tar.gz were modified to include the malicious code and issued a warning to sites that employ, redistribute, or mirror the Sendmail package to "immediately verify the integrity of their distribution."
The Trojan would let an intruder operating from the remote address specified in the malicious code gain unauthorized remote access to any host that compiled a version of Sendmail from this Trojan horse version of the source code, the group said. "The level of access would be that of the user who compiled the source code."
"It is important to understand that the compromise is to the system that is used to build the Sendmail software and not to the systems that run the Sendmail daemon. Because the compromised system creates a tunnel to the intruder-controlled system, the intruder may have a path through network access controls," CERT added.
The Sendmail Consortium, which serves as a resource for the freeware version of Sendmail, confirmed the hack. "If you download the Sendmail distribution you MUST verify the PGP signature. Do NOT use Sendmail without verifying the integrity of the source code," the Consortium said.
Because of the attack, the Consortium's FTP server was unavailable Wednesday morning but legitimate copies of the source was available via HTTP.
CERT said the malicious code that was added to the Sendmail source forks a process that connects to a fixed remote server on 6667/tcp. "This forked process allows the intruder to open a shell running in the context of the user who built the Sendmail software," the outfit warned.
It said there was no evidence to suggest the process is persistent after a reboot of the compromised system. "However, a subsequent build of the Trojan horse Sendmail package will re-establish the backdoor process," CERT added.
The compromised files began to appear in Sendmail downloads on or around September 28, 2002, CERT said, noting that the Sendmail development team disabled the compromised FTP server on October 6.
"It does not appear that copies downloaded via HTTP contained the Trojan horse; however, the CERT/CC encourages users who may have downloaded the source code via HTTP during this time period to make the necessary verifications.
Sendmail, which is freely distributed, is by far the most popular MTA (message transport agent) on the Internet.