util-linux source archive trojanized
The util-linux 2.9g source archive was replaced on an official distribution site during the same 1999 advisory window as the tcp-wrappers compromise.
Story
In January 1999, the util-linux 2.9g source archive on ftp.win.tue.nl was found to be a trojaned replacement. The report came days after the tcp-wrappers compromise on the same server. The trusted FTP host, not a random mirror, was the failed boundary.
The modified archive changed login-utils/login.c. A new checkname() path ran during login. If the supplied username began with #!, the code built /bin/<name> and executed it. That turned an ordinary login prompt into a command trigger for anyone who knew the convention.
The same function also forked a reporting process. It resolved mail.hotmail.com, spoke SMTP, and sent host and UID data to a Hotmail address. It left /var/tmp/.fmlock0 as a marker and exposed HELO 127.0.0.1 as a simple detection string.
The maintainer restored a clean 2.9g archive and warned that nothing on the compromised machine should be trusted. CERT later folded util-linux into CA-1999-02 and advised users to move to util-linux 2.9h with signature verification. The lesson was plain: timestamps and familiar paths were not integrity.
Affected Artifacts
- Observed
- 1999-01-21 to 1999-01-22
- Compromised Versions
- Fixed
- Not listed
- Evidence
- mirror: github.com/util-linux/util-linux, observable: ftp://ftp.win.tue.nl/pub/linux-local/utils/util-linux-2.9g.tar.gz, file: login-utils/login.c, function: checkname , +3 more
Incident Context
- Motive
- Unauthorized Access
- Cause
- Compromised Infrastructure
- Transitive
- No
External References
- Bugtraq: Re: util-linux compromisedseclists.org
- LinuxToday: CERT Advisory CA-99.02 - Trojan Horseslinuxtoday.com
- LinuxToday: util-linux-2.9g compromisedlinuxtoday.com
Source record: oss/attacks/util-linux/meta.yaml