************************************************************************** Security Bulletin 9412 DISA Defense Communications System April 6, 1994 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/ddn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/ddn-security-9302). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ============================================================================= CA-94:07 CERT Advisory April 6, 1994 wuarchive ftpd Trojan Horse ----------------------------------------------------------------------------- The CERT Coordination Center has received confirmation that some copies of the source code for the wuarchive FTP daemon (ftpd) were modified by an intruder, and contain a Trojan horse. We strongly recommend that any site running the wuarchive ftpd take steps to immediately install version 2.3, or disable their FTP daemon. ----------------------------------------------------------------------------- I. Description Some copies of the source code for versions 2.2 and 2.1f of the wuarchive ftpd were modified by an intruder, and contain a Trojan horse. If your FTP daemon was compiled from the intruder-modified source code, you are vulnerable. It is possible that previous versions of the source code for the server were modified in a similar manner. If you are running the wuarchive ftpd, but not providing anonymous FTP access, you are still vulnerable to this Trojan horse. II. Impact An intruder can gain root access on a host running an FTP daemon that contains this Trojan horse. III. Solution We strongly recommend that any site running the wuarchive ftpd (version 2.2 or earlier) take steps to immediately install version 2.3. If you cannot install the new version in a timely manner, you should disable FTP service. It is not sufficient to disable anonymous FTP. You must disable the FTP daemon. Sites can obtain version 2.3 via anonymous FTP from ftp.uu.net, in the "/networking/ftp/wuarchive-ftpd" directory. We recommend that you turn off your FTP server until you have installed the new version. Be certain to verify the checksum information to confirm that you have retrieved a valid copy. BSD SVR4 File Checksum Checksum MD5 Digital Signature ----------------- -------- --------- -------------------------------- wu-ftpd-2.3.tar.Z 24416 181 30488 361 e58adc5ce0b6eae34f3f2389e9dc9197 --------------------------------------------------------------------------- The CERT Coordination Center wishes to thank Bryan O'Connor and Chris Myers of Washington University in St. Louis for their invaluable assistance in resolving this problem. CERT also gratefully acknowledges the help of Neil Woods and Karl Strickland. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). If you wish to send sensitive incident or vulnerability information to CERT via electronic mail, CERT strongly advises that the e-mail be encrypted. CERT can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT for details). Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories, information about FIRST representatives, and other information related to computer security are available via anonymous FTP from info.cert.org. **************************************************************************** * * * The point of contact for MILNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * ****************************************************************************