Original issue date: January 21, 1999<BR>
Last revised: January 22, 1999<BR>
<P>A complete revision history is at the end of this file.
<P>The original release of this advisory contained an error. Please
take note of the changes mentioned in the revision history section at
the end of this file.
<P>The CERT Coordination Center has received confirmation that some
copies of the source code for the TCP Wrappers tool (tcpd) were
modified by an intruder and contain a Trojan horse.</P>
<P>We strongly encourage sites running the TCP Wrappers tool to
immediately verify the integrity of their distribution.</P>
<HR>
<H2>I. Description</H2>
<P>TCP Wrappers is a tool commonly used on Unix systems to monitor and
filter connections to network services.</P>
<P>The CERT Coordination Center has received confirmation that some
copies of the file tcp_wrappers_7.6.tar.gz have been modified by an
intruder and contain a Trojan horse. This file contains the source
code for TCP Wrappers version 7.6. This Trojan horse appears to have
been made available on a number of FTP servers since Thursday, January
21, 1999 at 06:16:00 GMT. Copies downloaded prior to this time are not
affected by this particular trojan horse.</P>
<P>The Trojan horse version of TCP Wrappers provides root access to
intruders initiating connections which have a source port of
421. Additionally, upon compilation, this Trojan horse version sends
email to an external address. This email includes information
identifying the site and the account that compiled the
program. Specifically, the program sends information obtained from
running the commands 'whoami' and 'uname -a'. </P>
<H2>II. Impact</H2>
<P>An intruder can gain unauthorized root access to any host running
this Trojan horse version of TCP Wrappers.</P>
<P>Note: If you have already installed a Trojan horse version of TCP
Wrappers, intruders can identify your site using information contained
in this advisory. Please read the "Solution" section and
take appropriate action to protect your site as soon as possible.</P>
<H2>III. Solution</H2>
<P>We encourage sites who downloaded a copy of the TCP Wrapper after
Thursday, January 21, 1999 at 06:16:00 GMT to verify the authenticity
of their TCP Wrapper distribution, regardless of where it was
obtained.</P>
<P>You can use the following MD5 checksums to verify the integrity of
your TCP Wrappers distribution:
<PRE>
Correct version:
tcp_wrappers_7.6.tar.gz
MD5 = e6fa25f71226d090f34de3f6b122fb5a
size = 99438
tcp_wrappers_7.6.tar
MD5 = 5da85a422a30045a62da165404575d8e
size = 360448
Trojan Horse version:
tcp_wrappers_7.6.tar.gz
MD5 = af7f76fb9960a95a1341c1777b48f1df
size = 99186
</PRE>
<A HREF="#Checksums">Appendix A</A> provides checksums for the individual files within the distribution.
<P>It is not sufficient to rely on the timestamps of the file when
trying to determine whether or not you have a copy of the Trojan horse
version.
<P>Additionally, the file tcp_wrappers_7.6.tar.gz is distributed with
the detached PGP signature tcp_wrappers_7.6.tar.gz.sig. </P>
<P> Wietse Venema is the author and maintainer of the TCP Wrappers
distribution.You can verify the integrity and authenticity of your
distribution with Wietse Venema's PGP public key. We have included a
copy of his PGP public key below. Note that the Trojan horse version
was not signed, and that Wietse Venema's PGP key was not compromised
in any way.</P>
<P>As a workaround, until you are able to verify your copies of TCP
Wrappers, you can block inbound connections with a source port of 421
at your network perimeter. However, it is possible that some
operating systems or software may use port 421 in legitimate
connections. Thus, it is possible that some legitimate connections
might be blocked. </P>
<H2>Where to Get TCP Wrappers</H2>
<P>Wietse Venema has moved the primary FTP archive for TCP Wrapper
source to a different location. The primary archive is now located
at</P>
<BLOCKQUOTE>
<P><A HREF="ftp://ftp.porcupine.org/pub/security/">ftp://ftp.porcupine.org/pub/security/</A></P>
</BLOCKQUOTE>
<P>Sites that mirror the TCP Wrapper source code are encouraged to update their
mirroring procedures.</P>
<P>Wietse Venema expresses his gratitude to his former employer,
Eindhoven University, for making possible the development and
distribution of the TCP Wrapper software, and appreciates the support
from system administrators of the department of mathematics and
computing science. </P>
<P>Additionally, we have verified that the distribution of TCP
Wrappers offered by the CERT Coordination Center at ftp.cert.org was
not involved in this activity. TCP Wrappers is available from our FTP
site at</P>
<BLOCKQUOTE>
<P><A HREF="ftp://ftp.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.6.tar.gz">ftp://ftp.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.6.tar.gz</A><BR>
MD5 checksum: e6fa25f71226d090f34de3f6b122fb5a</P>
</BLOCKQUOTE>
<H2>Wietse Venema's PGP Public Key</H2>
<BR>
<PRE>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2
mQCNAirDhV8AAAED/i4LrhQ/mwOgam8ZfQpEcxYoE9kru5oRDGtoVeKae/4bUver
aGX7qVtskD6vwPwr2FF6JW2c+z2oY4JGPGUArORiigoT82/q6vqT0Wm1jIPsXQSB
ZCkBoyvBcmXEi+J7eDBbWLPDxeDimgrORbAIQ4uikRafs8KlpNyA8qbVMny5AAUR
tCV3aWV0c2UgdmVuZW1hIDx3aWV0c2VAd3p2Lndpbi50dWUubmw+iQEVAwUQNEfn
hgyPsuGbHvEpAQExUAgAkAZTAVqzICTlVMggjsG9NghqC0FPqO2s9BQLXH3lQDdQ
C2tOx1CYvL3pB8X77alh18/HnUd6PNkloHC2fqNo5eNyuVDeUpvW+mz6IRlndnJU
kLVx/Kzu+h3TooWlX/BSc+k0XsQJ7mpP4QeWvoHll50rBPVLYnv4ODbZh0z5jYfr
Yq2n/05vi5nRdz2gXqRRIorfD46a5n+gQNAvrwhKMRZeyqEfOCtQ+UjMH7tyGG0N
+suzNQtBjypEZkB8OFEQB1Q3RatQlWx55JOfmcba0JBY9umOuNoDPldvIgMbExRP
5tN+qOjsHbm723S1kybyQKEbQgx3pDA3xiz9SBFqjYkBFQMFEDRH59NGYudYIBG4
eQEB3XMH/RXG4wFjy32JDJPaVmS14Ax53VGOBUDLZo9Uv8lG3uTIe886lLeDqWA2
fHyyUFwUBC917NR0D9HCTAAQ5PZYO7kOV5JMSLWoxyLYRimHcUnhfBJ9XthVvjvH
NuItWWXVLND0UjTkmHJSCtTxcM6Yo7NuisIJOYcnRameWK105FPb9i3ATaEejM8C
NPfgiHp9Krv5EVfAHJ+gBy/q4kKqQYFZgdbogVS5aKQJiO5imGEtxGl7qSxfC1WJ
TmrauU/8CbBQM6MvifnIep+LI+IBLwDFSByZDPR5dakjeCGMnNtj2XYEu0mWtz/5
DHOIDGz9whNF1DBUBbHM3BEuUai87eWJAD8DBRA0R+e9YVgWxTrOVf4RAtpXAKDK
jQQ4a7pxrgLA63H4XHhfCNC9PACghwiSLYqPdnsyMM+LN/I3su2zF7OJAJUDBRA0
R+f8d6a8PicAdv0BAXNeBACgGcN9znLn0yHysY852uUntwMS9CAlTdSLkiRaf1gM
sV+VQipFvSzS+rmg/DtiWDJ46Z5ffJe6rMnIn59yGgmkelj6hTDi3eGcarGnIFQJ
PG61JmfdTxtyQ5lY5zpNoBnKwVHCYBoMvpvoe0axVhQm23+j/qll44jcnORmqcYD
YIkAPwMFEDRH56iWgad8PVLgfxECrc8An2xiSfGbEsocbX5eOUkTc6jYiRwCAKDC
FIaSRaNnmB3sHPaj0TnaGri6h4kAlQMFEDRgoatWKpzSj2i9yQEBKQkD/0Znfn9u
jEPIpUpPLO1HvFX16IMx+JXYQcFakporAmvNzw28a351cWNQOTSr0ZS+8G6YNXEQ
WUeI2NE96gIpUmb6m2XNJ5ucdLRG2PsSwwcYtuipRXaR3aHrLwPRDEdlo0ifC+Bm
mV80LrTsnCfR1XvuCGcFkA//BNnXYJnjM36EiQEVAwUQNEUD2zw9PaeQSTXpAQGX
gQgAhlqfuv/aWGeP9Qgdtlq688sP9fADmwzQdQ98lbOL184eW7Or+Dunynh89Sn0
yC90AfwiI3/E75YIZJA4x6qjMan+3p8mNw8WtkUWYZOQ/A91tXQflo/EFqliR4mx
HKmWqubsXzIL6fW3vxC/gQnlNKE3Rx53vwxMMK8u3LFDdLQu0OpXOkmAa4qZh+Pi
DXa77DPYToHcxXeOIvAm+mSqxuBK9URKlGDq4snS3XnlmfdySz2oEsFPN5MUOvQV
gyeHl7aRysa/C8d7tq+FLWN8fQcLpn/3hXHUygdW4KogGVUDFMpckLv1E161AT84
R+fK9ztWoi85CSkFwCESiO8vj4kAlQIFEDBqt5TZp9pcfgqygQEBWvYEAK7oHPhv
4ChPzquWue9maG22iOBO+mJJ6ReKriydzcUUzwwLAEDnzN7TJaWBj7f/M6anrTqT
UxJWcm5R3BzSPecLmM9FN1B+zsJjhqA/BbTjfr7lDuWzplLI55SlezHrSD2Zdh7f
NZp6LjoLWhApUCtwY5JqofYEVutSHLjKnKwAiQEVAwUQMQ6i0ee7tRpdDUB5AQGA
Hgf+MXxcTTo73zq7Iy3n23JjkRYuGRScRyxHPrM4CvCfpxGZ0KqXFydkGjaV2NxW
BUdjZzzrXqExTv/w6l/b/TG5WDqOSkSmmIYYc1c1oaKvbPpwimkzREK9QZABibK8
OA+TN8E2Or7v8/DuwWRVfDdmhblf98PH29wAYvNAwGlftnzfsdOILTxHySZ0724Q
YWDHM876sJ7lvzZ1sPUkv61blq1etB0VrRUJ0YewaqhP/Jmn45ldHRdxjzN8yrzq
u4rzrHx1LJb6j/mHSH7soEwEKpHRCtZNY+PtLcKheFxiFweu8OAMsm574wmybEGr
2EICSA0p4I6UswT0Rcn7Oba/1YkAlQMFEDEOojNOQewbPzG6VQEBXkoEAIoRVBm5
/LmOiOyeB+968KyOPVxCXHZqKePwjt32sz/ozKQUfjvxGE1x2G9gAdSFlfI3qjL3
Iw8MPYspX10nUYbtvcT4QBci6vd/gAut6d1pwl/Rz/ui0HqbjvBxEzLFKNm3ssIp
/FeNyBBO8KZFd+h4Yqc4TqkjiYOnR6CcatI6iQCVAwUQMHjnn+Tyai8iNKttAQHS
IQP+L5lquZYfWQfcYjS+NTTCXC8fSolynnsJfy589knPeQOjxKPv9IdU0bXXzRPh
wXoCftxm08/qrFEzRmLJX8Nbs4VVcJHt1VnoIo+Fu0ASn6JV0f0HiDhPWCJerBYl
wrqTYoPEC8hWGQr93ARda4O83KZ6QQqBFXuKgYHxvHnTTMGJAJUDBRAwc68SAk+E
axRt4o0BAZSCA/9bYDgwudU+uFf2/e2GAUT1gxTHhSPgSKlg8Ca8p6AJeaqB3YvJ
wBgFaqYNNOm0XGl4K2uWXJURTA8rboS+UrN7+besnbLpUZ3WnxIWPMhU0eK4x67M
SH2tSrtz0fZtnOpIkZ0FvPMC/W4yidnGgwT3hxbHjznFH7FE3GYOvWyM/okAlQMF
EDBvvvQx/7eDRBO2kQEBBZwD/jlqZbO1LjpueWSMijLF3ntCm617IcEfG6xz0oRM
M2GEBtgtIIrv5YaTLy8jYPyu5edvvyc/sfcuFBw33wzxThuCfUIqzS/TwjgqSoaT
L1+Rl3h4g+VTSteSWg/+fCfAp5T50DH1Uq3JqiV9lzwdgTK5uMvYmwG8ZHln6ju2
F2E4iQCVAwUQMGqp+hrbNNwC+IyBAQHKggQAtoLHXDwYB2aPM4W3VGdBkT4jm8o1
XgvqaFv/X+7xZKF9UgWRPRFqF88WeZRA2mZb/DxrmuckFsvqhJuvjEvKbr93QYuX
dZG/e7am71WXLBKSPnvsoJY51eT7XrDI6hmqvWcYbngHpHzY+ZB6N9h7qcGw1zRw
t4/Kxbp6nxlFAeqJAJUDBRAwal9L6CVK4w9Ml3UBAY4sBADTn9fOYlwC7iVJVd/z
GMZyW5gvif9PKw+Grfn8S02x9i1OlqX1cgxJkMWoXpQCilQ4jyStv3LekhJ2Btp5
kUCiColOZO4NOb7n0Iuwsnx1TkLl75RWZKDc+7gxA5PxCnzFE+y8O6i4pSuzzhpF
qz4cEnRQ4D+Klrqu+3p43rfETYkAlQIFEDBoJ+kiUZbZZm0AUQEBpNkD/jEfKwJV
xoFTakdUkIyprrZg3uYBTbhwf0rSynUVjm+X3KCbKROEyx6GskzH09D0LT+gTi9z
Z9RrzXv1/yeO/6wte1WZT+vNLhvGrO4yniYm+Os5zSa+5aW/fyHilE02ZNk20r+H
hY6aOmZQ8UXGv+U5ryg48UuGfe920UndQiuYiQCVAwUQMGnKYLnzJzdsy3QZAQGz
lAQAuIRJhf8sAkuy3PeT9UuXvt1uUHwTiEkrDdbFnBQOfmkVxcQOP82gzgWYk5ii
wlTmgT4euodekIzMrMIxqQsqyhvwxxbtD+k3aHFtocrvRUTShO51g8fiQcN7CTbE
eTa3azUpMbiOWnvFTOKqfgAGn039smgkFIojywX7NdE+g+GJAJUDBRAwacpBYmX6
SAdWdFUBAT1dBACeuV567rcGe4rE3Bjl629lWr57C9NtHOfKh63KT1xUHM6f0elq
IfMWBCXTNAmS/rpQ7bjg7+WbWYYct2YKSizpP9/eyFq0Ax2cFzCBi8c2DdUuszEy
PdvX6ZSvXMkR5Z90bLbeH26yzacnyF1MdD0wtAqdtOcs6xHCrfyKl/7CmIkAlQMF
EDBpx1AEJn15jgpJ0QEBCUcD/0gEX5BCjysfVNjRHLibxwv46aqFGf4FED/ZyJEb
jC6szt0q2jzOGZUhMsyYNqmoCSdj2mGDd2AG01HxJRqVpkvaMv5O4XYOvC9oQTwv
8+5EV0Be2HZ+Jfl9Xpyl7TG+3ClQXpUH21C5suiWOTEsexq7a3YvdULELqtlQpBo
pianiQCVAwUQMGf966NsRd57vOpJAQF8ngP9GTFx5J+57n9SsISC/32GleMy0g3l
HJTrjtWnxIOt28DTXI9VxOmaRIh002PJG8d2esFq17DXxJf60M43s14F/6ct/PmB
2psgIayaW+1Mj1FtBAUr4cKsfGZytcKqrHoMvSp7rZHhfgVy/xLMKKCmm+c7xdYJ
Sgbicrpwq1IBuDGJAJUDBRAwZ/wvO3/HvM52ax8BAR+WA/47Zw6LyUQHR0HqikBZ
mu1vTfgG6seat/93V8z2kA80f++FbKisJwzqxUzJ27ERFAgOdbTPGWwuCeWkszd7
TSBVzfoAosU//H1cbIULmD9jv7DLh6lQx+RUEdlD7zkUiVkmhU234AjnzWx1dfLi
g5iJomAE1qLskvbi1k5TRI3St4kAlQMFEDBmoqxYl6t82lyyQQEBekIEANKfx56q
zeVCa9eIic4j2FXpJC5nYUOcdShPkhKWpDZMxNHT5S/gyqZFtgMvqbqKcDsxmtsF
jpHJr7QX1lKBYTAzGUtSPOgb2BiJbHwHfK3GH6TfKqNHt9rYERvBbaekyEEBS8Ds
Vcw1ZTgi/gIBSN83NkLJuc09i/nHg939hdr3iQB1AgUQL8wq2mgPK9CjLmKhAQFv
1AL/bL+vtlG61Dtmu8/kv5HkPiOVqfiomUYI1OfF0amJUNKgBadhdbJ40QGMuhhX
HlWyb4/MnSt4aujnwA8sKhtRKtJHKvjjLf+LTmdMol2wnoK072lLpFumX7aJ3pS1
4aUgiQCVAwUQL4l3ERPcEwSgd4ahAQFt+gP/Zsee/uKXvtMxG5DSCgKpnU9p9QGV
4gnP9bCydQ+brmepEuMSuj9c/VFzHlYLXpJs9ZhfCbjNuuVRyjQIVj3Jbq9s4Xwy
hxc+Q0xglMUhjm18ycJ8PPgkx4e8FdzcSuZfaFI6hH0Er7Jeh/8HOyrKSlsqrGZO
y0HGAuKOWQKP+ZCJAJUDBRAviBbrym8rg/wMAtUBAaEvA/0ZlxCa1Ka/6BQMxaMz
+xdbDPdcbcntpcyuERm2FMY5a2bOr1j4Rpic3zc1+Q9N6ZQA5FJOpWvHB0xXUw5b
No6aG1VAHrmV51jmIUYVJy+DTmXZela9nGHfiM33RvdttDsvox6HTe/teo+fzP3s
6MQaWScLDx33RezVTmVSBk22WYkAlQMFEC99GmfcgPKm1TJ8uQEBJzsD+waYQmJK
G0btGU0+GUTg+bRMSfCGwb9p9vbwnXQIPlQrsF8Bozm8IyFGWxsfKT8dRljqmAEw
KLhaFgYdFrnliuYfmVMw+nSpdpTDVE0N4d7hd8mTN+WCvY0g6x9rv1uBPKK6lPgW
oZHskbzNLwiDXZ5vPKdoSCCIi3aQkCQd+6qxiQCVAgUQLm32FsDH/BbwDwQhAQFZ
qwP/cSSBsmwz45rZ8HP5NhUWxCUG1ZMmavp42mnhObIv03b680ufNMxp8nvbgAXU
WwCnHjmvdUZvzhLZs3g4xTyf6XXGddxVAzQZUEocreD92mzm9uJIi+uzMCcvu9Fm
4Pgu9Tux3ndjVahVBLZEoNoZVdPZAsa+PmkCEX0GFXK+0fmJAJUCBRAubfXabKHQ
hwZ57ZEBAYeaA/9aM5Oi5kaE9KjfVRwxSpyc2UWoEwXwNyabMVpp5HTqZjEnm/n+
0gsB/hcLUWDS1/vGeeP3UfHrDzctPBXwzRs+lAthLuHi8t99MHovELXy3crXEiIo
9jiUSXrYPca88OR+4dh4mt6FidgsxxZh9mFhMUL2IQwCFk8HpLVEC2Jfr4kAlQIF
EC5q5ajjEe6i7yfncQEBrd0D/1gxSJXMa4MtQbsYL0/QpEo4yYCs1dQ/M/IqHTy7
pfbPtVsVBmEyGL3Teu0F0RGC1e8odGEXQTVQazXbSrrbLXbG1v8uix3neCHfrAbi
uGOzgDd/JrY7mjqWSxRpvHsdeSlb0SW/++7u8izosXRUuw6Ykp2l6GacQvbxTJpt
kdSLtCR3aWV0c2UgdmVuZW1hIDx3aWV0c2VAcG9yY3VwaW5lLm9yZz6JARUDBRA1
O5tPy8QyP8SpYiUBAa6RB/4t7WU5FsXq9TaAslIoYtwsbWkPFZSlY1nZkMpoGOmw
dNzdc/MR5A8iC28E9LdZH+89VM1OnctR3MfKMqJoYBgFWmhxMo4VkDnBtMIZbMX+
QnMnp9piwM8T4VbQV49YMj5jbLCr2NUep8JIvd733OGs27SDjU25dHmkKvLf8A1U
BDGM9yKFL+OBJdLuzcTsddIUnLvysgiWAzB2MCriap1tgwYVgqB2DxztwayJusWY
iyv89Av8y8etDZFlAqfGdX/77E/iyQGVUi0kuHSNqePgAGe7idg4rLV3Zd05cNt6
CJ7s6LmOZI+iXA+8r890L+0VqRN4C/mNEQndtn9Bxv0tiQCVAwUQNNkG9NyA8qbV
Mny5AQGhEwP9GSNPhi0X+W0E35V4Iu/bvanFmjfwklkQbJaDhBMddhDtrJVzbZEv
e9AsQxEhK9me+Xql7ZQzOAjyM4c1aFO2+sq69H8z+e+pOkV/yWnRKIX9lVV4YJpK
ZLUSjKnV2Tvqo9EKXpFwjptO/YU1PZFEqXe/i3iIRecSOLJLqKvN3Zs=
=+cGX
-----END PGP PUBLIC KEY BLOCK-----
</PRE>
<HR>
<A NAME="checksums"></A>
<H2>Appendix A - Checksums</H2>
<P>This appendix provides checksums for the individual files within
the TCP Wrappers distribution. </P>
<P><FONT FACE="Courier New, Courier, mono">MD5 (BLURB) = 627fc45308e852c446c3606647fa8c34<BR>
MD5 (Banners.Makefile) = e53315d5713278df908248602b129955 <BR>
MD5 (CHANGES) = ff08c72b8c9c8d56ba9bf3e90d477639<BR>
</FONT><FONT FACE="Courier New, Courier, mono">MD5
(DISCLAIMER) = 071bd69cb78b18888ea5e3da5c3127fa <BR>
MD5 (Makefile) = 0037774577650534f898949d892144ec <BR>
MD5 (README) = 2452fb4f9d06500ec0634d7b64aaf76b <BR>
MD5 (README.IRIX) = 36603b049d5f89a26a300825c3021310 <BR>
MD5 (README.NIS) = 147a07f2d3e673121dec4975849994e8 <BR>
MD5 (clean_exit.c) = 1bac137fdc9c151351c0b33c9026421f <BR>
MD5 (diag.c) = 8f3d561785f3314a35a9de09d11ccdaa <BR>
MD5 (environ.c) = 9fa4c0f2fff89d00a4b1283730eab739 <BR>
MD5 (eval.c) = b4fbd49308d5a8f77315167a4ee10339 <BR>
MD5 (fakelog.c) = b329ab5443158e4c79f55710f9a675d0 <BR>
MD5 (fix_options.c) = 99f3cb7841d8bf941bf6750fd7a96df1 <BR>
MD5 (fromhost.c) = d880bab3c12c4109e95cdd69470e4ea3 <BR>
MD5 (hosts_access.3) = 7993a6a2a27f729254bf29c13f48e9ab <BR>
MD5 (hosts_access.5) = 67085bc60fb9cbb70be7cb6490002923 <BR>
MD5 (hosts_access.c) = cec0cba4a2df178e8857510704cc38f3 <BR>
MD5 (hosts_ctl.c) = edad608818ee499ad0497dbabad43227 <BR>
MD5 (hosts_options.5) = c4920a00f777844c6e8136e52e260264 <BR>
MD5 (inetcf.c) = 02ccca613950bfe18706d0c39cbca9ea <BR>
MD5 (inetcf.h) = 2a7ac52919ccece4946943067455b1d8 <BR>
MD5 (misc.c) = b74358d00ad758286a44c933fee4eda2 <BR>
MD5 (miscd.c) = 720b62d42e8162cb7b696002e56ece6e <BR>
MD5 (mystdarg.h) = ce79d3c00d2ad46db810610c573bce2a <BR>
MD5 (myvsyslog.c) = 619fd9232e456e8ab75625f25dd58952 <BR>
MD5 (ncr.c) = dc5262ae64eb1e3305bcfdc00e8fb9c9 <BR>
MD5 (options.c) = 8b27d55628eb2b666b27f015ee2182b0 <BR>
MD5 (patchlevel.h) = 92e06ff46922390163fdb46af95894f4 <BR>
MD5 (percent_m.c) = 721472d1cc7cc8d4960d800057ed8ec1 <BR>
MD5 (percent_x.c) = a406be699b48a19fb741fe8f31732698 <BR>
MD5 (printf.ck) = 7dafed0315ad74bc7a28e7d747f29819 <BR>
MD5 (ptx.c) = 9ab79f1b51877bbeeac82db794b25ad9 <BR>
MD5 (refuse.c) = 5f2c0874378f640a86897f5531616dc7 <BR>
MD5 (rfc931.c) = e629b1f5cfdc97dc43301ed1186f7c37 <BR>
MD5 (safe_finger.c) = 7e4a788b375b7b05a60d24cd0c83b0b3 <BR>
MD5 (scaffold.c) = ce9473ec933a5478d3522a15223c48c2 <BR>
MD5 (scaffold.h) = 6b9d803d78ec0a6946f329d5a9856b53 <BR>
MD5 (setenv.c) = 44209db39c4d3a173d2933b04f67320e <BR>
MD5 (shell_cmd.c) = 57b7371b951329db7b5f699e99798164 <BR>
MD5 (socket.c) = 00f0890b1bc3e453ce44ccd64223b0c5 <BR>
MD5 (strcasecmp.c) = 1e72db28013fc87fedcdbc155d8ba7fa <BR>
MD5 (tcpd.8) = eaee4abbff9c2853b4e5122ec1fb7a1b <BR>
MD5 (tcpd.c) = a8255a587f31a38b4a7485a5c8d904a3 <BR>
MD5 (tcpd.h) = 076cf6456199450a4b81aec77165c716 <BR>
MD5 (tcpdchk.8) = ed7b220f6ac7906ae326ac8fa3d04a11 <BR>
MD5 (tcpdchk.c) = fe8a07ff2642e8b55922e6be510b9ed3 <BR>
MD5 (tcpdmatch.8) = 85bc0335c865954ca534c9a17c666b53 <BR>
MD5 (tcpdmatch.c) = 8af6daf4a1e9d9935956f1d31e54ab4f <BR>
MD5 (tli-sequent.c) = 6266612530ec81b4c3f90cbe34fcd108 <BR>
MD5 (tli-sequent.h) = 9e8d21063e9157e7c2a4e9e3e3281e8b <BR>
MD5 (tli.c) = 7efc6e3c9915d6e8ca762342b540573d <BR>
MD5 (try-from.c) = c6a00f028c9578a881018b505857a05d <BR>
MD5 (update.c) = 77c218e0e6366d2327f52068f863d12b <BR>
MD5 (vfprintf.c) = 332dc8be89d5a59abc3036b490ba07d0<BR>
MD5 (workarounds.c) = d1e7b5abf95067313b7668d8c10a2c5c </FONT></P>
<HR>
<P>The CERT Coordination Center wishes to thank Wietse Venema for his
assistance in resolving this problem and Roy Arends of CERT-NL for
valuable input in constructing this advisory. Additionally, we would
like to thank Jochen Bauer of the Institute for Theoretical Physics at
the University of Stuttgart for identifying an error in an earlier
version of this advisory. </P>
<P> Wietse Venema expresses his appreciation to Andrew Brown of
Crossbar Security, Inc. for noticing that the TCP Wrapper source code
had been tampered with, and for informing the author of the
incident. </P>
<p><!--#include virtual="/include/footer_nocopyright.html" --> </p>
<p>Copyright 1999 Carnegie Mellon University.</p>
<HR>
Revision History
<PRE>
Fri January 22, 1999 Modified to reflect that the Trojan horse
provides root access to intruders initiating
connections from source port of 421 as opposed
to a destination port of 421.
Added section indicating that the primary FTP
archive for TCP Wrapper source has changed.
Added an MD5 checksum and size for the correct
version of the file tcp_wrappers_7.6.tar.
Added MD5 checksums for individual files
within the TCP Wrapper distribution.
</PRE>
|