From owner-freebsd-security Thu Oct 10 3:19:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFCA737B401 for ; Thu, 10 Oct 2002 03:19:47 -0700 (PDT) Received: from mail-gp.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id B397D43E97 for ; Thu, 10 Oct 2002 03:19:45 -0700 (PDT) (envelope-from nkritsky@internethelp.ru) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by mail-gp.star.spb.ru (8.9.3/8.9.3) with ESMTP id OAA35681; Thu, 10 Oct 2002 14:19:39 +0400 (MSD) Received: from IBMKA ([217.195.82.21]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 4LZPB0WT; Thu, 10 Oct 2002 14:19:38 +0400 Date: Thu, 10 Oct 2002 14:19:57 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <168272775470.20021010141957@internethelp.ru> To: Dragos Ruiu Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: Sendmail trojan...? In-reply-To: <200210091327.18139.dr@kyx.net> References: <3DA3AE76.1070006@deevil.homeunix.org> <20021009142546.GA27227@darkstar.doublethink.cx> <20021009080341.A26616@zardoc.esmtp.org> <200210091327.18139.dr@kyx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Dragos, Wednesday, October 09, 2002, 5:27:18 PM, you wrote: DR> Where is the best collection of forensic information about DR> this so the method can be understood and effects checked DR> for? The CERT advisory mentioned trojaned versions "contain DR> malicious code that is run during the process of building the DR> software." It was less than illuminating about the method DR> after that. You can obtain additional info about sendmail's backdoor here: From: netmask Anyhow, I have made the backdoor'd sendmail code available at http://www.enzotech.net/files/sm.backdoor.patch and the base64 portion is decoded at http://www.enzotech.net/files/sm.backdoor.base64.txt ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message