Trojan Horse imposter invades Unix

Unix system administrators who downloaded and installed the popular TCP Wrappers software in the past 24 hours may have unknowingly opened the door for hackers to their networks.
Written by Bob Sullivan, Contributor

The popular Unix administrative tool, available free from many FTP sites, has been replaced in some cases by a look-alike program that's really a Trojan horse, officials from the Computer Emergency Response Team organisation confirmed Thursday night. "It was just a matter of time before they got something this big/popular," said Jeff Francis, a Unix systems consultant. "Everybody uses TCP Wrappers. Heck, I even have it installed on my home machine."

After the program is downloaded, when the system administrator begins the installation process, it secretly sends e-mail to an external address, probably notifying the Trojan horse author which network has been successfully attacked. After the installation, the program listens on port 421 for a connection, and once it is established, a remote computer is granted a "privileged shell," or root access, which means the hacker can do whatever he or she wishes on the infected machine.

Specifically, the program sends information obtained from running the commands whoami and uname -a.

While CERT Internet Response team leader Jeff Carpenter said he did not know of any networks that had been actually intruded upon, CERT took the unusual step of notifying the media because of the Trojan's potential.

"This is a very popular program. Many, many sites utilise this because it allows administrators to more tightly control access with more flexibility than the default system," Carpenter said. CERT officials say at least 52 sites have downloaded infected copies of TCP Wrappers, but that number is probably much higher, because several of them were mirror FTP sites. In other words, copies of the Trojan are being distributed by multiple FTP servers.

Ironically, TCP Wrappers is a tool commonly used on Unix systems to monitor and filter connections to network services. Any version of TCP Wrappers 7.6, downloaded as the file tcp_wrappers_7.6.tar.gz on Thursday, is suspect. The Trojan horse appears to have been made available on a number of FTP servers since Jan. 21, 1999, at 06:16:00 GMT. More information on identifying the imposter program can be found on CERT's Advisory Web page. A clean copy of TCP Wrappers can be downloaded from CERT.

Editorial standards