Sendmail FTP tarball shipped trojan

From about September 28 to October 6, 2002, the official Sendmail FTP server distributed trojaned copies of the 8.12.6 source archives. The compromise hit one of the Internet's default pieces of mail infrastructure: administrators who fetched source from the trusted FTP path could build a backdoored Sendmail without ever touching an exploit against a running daemon.

The delivery was limited but dangerous. The .tar.gz and .tar.Z archives on FTP were affected; HTTP downloads were not believed affected. The Register later quoted Eric Allman saying the attacker may have modified the FTP program itself so that roughly one in ten downloads received the backdoor while the original package remained untouched.

The code diff shows the backdoor inserted into libsm/t-shm.c. It declared shm64, called it from the shared-memory test path, decoded an embedded payload into a temporary test script, and executed it with system("sh ./test 2>/dev/null").

That payload forked a process and connected to spatula.aclue.com at 66.37.138.99 on TCP/6667. From there, the attacker could open a shell with the privileges of the build user. Analysts also noted that its one-letter command syntax resembled the OpenSSH backdoor from the same year: A killed the exploit, D executed a command, and M put it to sleep.

Motive

Unauthorized Access Control

Attribution

Person

Cause

Compromised Infrastructure

Transitive

No

Actor

Individual Hacker

• CERT Advisory CA-2002-28: Trojan Horse Sendmail Distributionweb.archive.org
• Bugtraq: CERT Advisory CA-2002-28 Trojan Horse Sendmail Distributionseclists.org
• Sendmail 8.12.6 Trojan Horse Exploitexploit-db.com
• Sendmail Trojan looks familiartheregister.com
• SecurityFocus BID 5921: Sendmail Trojan Horse Distributionweb.archive.org
• NVD: CVE-1999-0661nvd.nist.gov
• Trojan horse in Sendmail source codesmh.com.au