• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Sendmail Trojan Horse Vulnerability

Reportedly, the server hosting sendmail, ftp.sendmail.org, was compromised recently. It has been reported that the intruder made modifications to the source code of sendmail to include Trojan Horse code. Downloads of the sendmail source code from ftp.sendmail.org between September 28, 2002 and October 6, 2002 likely contain the trojan code.

It has also been reported that versions of sendmail available via HTTP distribution on the Sendmail Consortium site are not affected.

Reports say that the trojan will run once upon compilation of sendmail. Once the Trojan is executed, it attempts to connect to host spatula.aclue.com (66.37.138.99) on port 6667.

Although unconfirmed, it has been reported that the service listening on port 6667 of host spatula.aclue.com (66.37.138.99) has been disabled.

The Sendmail Consortium has signed all valid distributions of the sendmail software with the following PGP key:

pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002 <sendmail@Sendmail.ORG>
Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45

Additionally, the following checksums have been made available to verify packages against:

73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz
cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z
8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig