Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Trojan Horse Sendmail Distribution

Discussion in 'E-mail Discussion' started by Nadeem, Oct 9, 2002.

  1. Nadeem

    Nadeem Member

    May 1, 2002
    Likes Received:
    Trophy Points:
    CERT Advisory CA-2002-28 Trojan Horse Sendmail Distribution

    Original release date: October 08, 2002
    Last revised: --
    Source: CERT/CC

    A complete revision history is at the end of this file.


    The CERT/CC has received confirmation that some copies of the source
    code for the Sendmail package were modified by an intruder to contain
    a Trojan horse.

    Sites that employ, redistribute, or mirror the Sendmail package should
    immediately verify the integrity of their distribution.

    I. Description

    The CERT/CC has received confirmation that some copies of the source
    code for the Sendmail package have been modified by an intruder to
    contain a Trojan horse.

    The following files were modified to include the malicious code:


    These files began to appear in downloads from the FTP server on or around September 28, 2002. The Sendmail
    development team disabled the compromised FTP server on October 6,
    2002 at approximately 22:15 PDT. It does not appear that copies
    downloaded via HTTP contained the Trojan horse; however, the CERT/CC
    encourages users who may have downloaded the source code via HTTP
    during this time period to take the steps outlined in the Solution
    section as a precautionary measure.

    The Trojan horse versions of Sendmail contain malicious code that is
    run during the process of building the software. This code forks a
    process that connects to a fixed remote server on 6667/tcp. This
    forked process allows the intruder to open a shell running in the
    context of the user who built the Sendmail software. There is no
    evidence that the process is persistent after a reboot of the
    compromised system. However, a subsequent build of the Trojan horse
    Sendmail package will re-establish the backdoor process.

    II. Impact

    An intruder operating from the remote address specified in the
    malicious code can gain unauthorized remote access to any host that
    compiled a version of Sendmail from this Trojan horse version of the
    source code. The level of access would be that of the user who
    compiled the source code.

    It is important to understand that the compromise is to the system
    that is used to build the Sendmail software and not to the systems
    that run the Sendmail daemon. Because the compromised system creates a
    tunnel to the intruder-controlled system, the intruder may have a path
    through network access controls.

    III. Solution

    Obtain an authentic version Sendmail

    The primary distribution site for Sendmail is

    Sites that mirror the Sendmail source code are encouraged to verify
    the integrity of their sources.

    Verify software authenticity

    We strongly encourage sites that recently downloaded a copy of the
    Sendmail distribution to verify the authenticity of their
    distribution, regardless of where it was obtained. Furthermore, we
    encourage users to inspect any and all software that may have been
    downloaded from the compromised site. Note that it is not sufficient
    to rely on the timestamps or sizes of the file when trying to
    determine whether or not you have a copy of the Trojan horse version.

    Verify PGP signatures

    The Sendmail source distribution is cryptographically signed with the
    following PGP key:

    pub 1024R/678C0A03 2001-12-18 Sendmail Signing Key/2002
    Key fingerprint = 7B 02 F4 AA FC C0 22 DA 47 3E 2A 9A 9B 35 22 45

    The Trojan horse copy did not include an updated PGP signature, so
    attempts to verify its integrity would have failed. The
    staff has verified that the Trojan horse copies did indeed fail PGP
    signature checks.

    Verify MD5 checksums

    In the absence of PGP, you can use the following MD5 checksums to
    verify the integrity of your Sendmail source code distribution:
    Correct versions:

    73e18ea78b2386b774963c8472cbd309 sendmail.8.12.6.tar.gz
    cebe3fa43731b315908f44889d9d2137 sendmail.8.12.6.tar.Z
    8b9c78122044f4e4744fc447eeafef34 sendmail.8.12.6.tar.sig

    As a matter of good security practice, the CERT/CC encourages users to
    verify, whenever possible, the integrity of downloaded software. For
    more information, see

    Employ egress filtering

    Egress filtering manages the flow of traffic as it leaves a network
    under your administrative control.

    In the case of the Trojan horse Sendmail distribution, employing
    egress filtering can help prevent systems on your network from
    connecting to the remote intruder-controlled system. Blocking outbound
    TCP connections to port 6667 from your network reduces the risk of
    internal compromised machines communicating with the remote system.

    Build software as an unprivileged user

    Sites are encouraged to build software from source code as an
    unprivileged, non-root user on the system. This can lessen the
    immediate impact of Trojan horse software. Compiling software that
    contains Trojan horses as the root user results in a compromise that
    is much more difficult to reliably recover from than if the Trojan
    horse is executed as a normal, unprivileged user on the system.

    Recovering from a system compromise

    If you believe a system under your administrative control has been
    compromised, please follow the steps outlined in

    Steps for Recovering from a UNIX or NT System Compromise


    The CERT/CC is interested in receiving reports of this activity. If
    machines under your administrative control are compromised, please
    send mail to with the following text included in the
    subject line: &[CERT#33376]&.

    Appendix A. - Vendor Information

    This appendix contains information provided by vendors for this
    advisory. As vendors report new information to the CERT/CC, we will
    update this section and note the changes in our revision history. If a
    particular vendor is not listed below, we have not received their

    The CERT Coordination Center thanks the staff at the Sendmail
    Consortium for bringing this issue to our attention.

    Feedback can be directed to the authors: Chad Dougherty, Marty

    This document is available from:

    CERT/CC Contact Information

    Phone: 1 412-268-7090 (24-hour hotline)
    Fax: 1 412-268-6989
    Postal address:
    CERT Coordination Center
    Software Engineering Institute
    Carnegie Mellon University
    Pittsburgh PA 15213-3890

    CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
    EDT(GMT-4) Monday through Friday; they are on call for emergencies
    during other hours, on U.S. holidays, and on weekends.

    Using encryption

    We strongly urge you to encrypt sensitive information sent by email.
    Our public PGP key is available from

    If you prefer to use DES, please call the CERT hotline for more

    Getting security information

    CERT publications and other security information are available from
    our web site

    To subscribe to the CERT mailing list for advisories and bulletins,
    send email to Please include in the body of your

    subscribe cert-advisory

    * &CERT& and &CERT Coordination Center& are registered in the U.S.
    Patent and Trademark Office.

    Any material furnished by Carnegie Mellon University and the Software
    Engineering Institute is furnished on an &as is& basis. Carnegie
    Mellon University makes no warranties of any kind, either expressed or
    implied as to any matter including, but not limited to, warranty of
    fitness for a particular purpose or merchantability, exclusivity or
    results obtained from use of the material. Carnegie Mellon University
    does not make any warranty of any kind with respect to freedom from
    patent, trademark, or copyright infringement.

    Conditions for use, disclaimers, and sponsorship information

    Copyright 2002 Carnegie Mellon University.

    Revision History
    October 08, 2002: Initial release
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Similar Threads - Trojan Horse Sendmail
  1. alexweb
  2. nightownl

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice