From proff Mon May 13 19:32:53 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id TAA27151 for best-of-security; Mon, 13 May 1996 19:32:52 +1000 Received: (list@localhost) by suburbia.net (8.7.4/Proff-950810) id SAA16466 for proff@suburbia.net; Wed, 8 May 1996 18:25:25 +1000 X-Envelope-From: chris@rivers.dra.hmg.gb Wed May 8 18:25:17 1996 Received: from relay.mod.uk (relay.mod.uk [192.5.29.50]) by suburbia.net (8.7.4/Proff-950810) with SMTP id SAA16373 for ; Wed, 8 May 1996 18:24:31 +1000 Received: from hermes.dra.hmg.gb by relay.mod.uk with local SMTP id ; Wed, 8 May 1996 09:23:50 +0100 Received: from wandle.dra.hmg.gb by hermes.dra.hmg.gb (MX V4.1 VAX) with SMTP; Wed, 08 May 1996 09:22:33 GMT Received: from rivers.dra.hmg.gb by wandle.dra.hmg.gb with smtp(Smail3.1.28.1 #64) id m0uH4W0-0007V6C; Wed, 8 May 96 09:22 WET DST Received: from wandle.dra.hmg.gb by brandywine.dra.hmg.gb with smtp(Smail3.1.28.1 #94) id m0uGqa2-0002kLC; Tue, 7 May 96 18:29 BST for chris Received: from hermes.dra.hmg.gb by wandle.dra.hmg.gb with smtp(Smail3.1.28.1 #64) id m0uGqa0-0007V6C; Tue, 7 May 96 18:29 WET DST Received: from relay.mod.uk by hermes.dra.hmg.gb (MX V4.1 VAX) with SMTP; Tue, 07 May 1996 18:28:59 GMT Received: from norn.mailbase.ac.uk by relay.mod.uk with Internet SMTP id ; Tue, 7 May 1996 18:28:52 +0100 Received: by norn.mailbase.ac.uk id (8.6.12/ for mailbase.ac.uk); Tue, 7 May 1996 17:11:11 +0100 Received: from olympian.ukerna.ac.uk by norn.mailbase.ac.uk id (8.6.12/ for mailbase.ac.uk) with ESMTP; Tue, 7 May 1996 17:11:02 +0100 Received: from [193.62.83.4] (actually host hactor.ukerna.ac.uk) by olympian.ukerna.ac.uk with SMTP (PP); Tue, 7 May 1996 17:10:57 +0100 X-Sender: djj@hermes.ukerna.ac.uk Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Tue, 7 May 1996 17:10:59 +0100 To: uk-security@mailbase.ac.uk From: D.Jackson@ukerna.ac.uk (Dennis Jackson) Subject: possible forged CERT/CC advisory X-List: uk-security@mailbase.ac.uk X-Unsub: To leave, send text 'leave uk-security' to mailbase@mailbase.ac.uk Reply-To: D.Jackson@ukerna.ac.uk (Dennis Jackson) Sender: proff Precedence: list Resent-To: best-of-security@suburbia.net Resent-Date: Wed, 08 May 1996 09:22:32 +0100 Resent-Message-ID: <10839.831543752@rivers.dra.hmg.gb> Resent-From: Christopher Samuel -----BEGIN PGP SIGNED MESSAGE----- We have received information suggesting there may be a forged version of a CERT/CC Advisory circulating on Internet. We would like to know if anyone has seen a copy of this advisory. Aparently, at first sight the forged advisoru appears quite authentic. However, the characteristics of the forged advisory are: 1 - Topic: Sendmail Vulnerabilities 2 - Appendix B contains a sendmail wrapper that is in fact a trojan horse. The wrapper spawns a child that listens on port 8996. When a connection is received, this wrapper spawns a copy of /bin/sh. The wrapper, once activated, runs forever. Subsequent invocations of the wrapper exit silently when they discover that port 8996 is already in use (bind returns -1 and errno is set to EADDRINUSE). 3 - CERT(sm) Advisory CA-96.09 April 22, 1996 or Advisory CA-96.10 The true Advisory CA-96.09 deals with vulnerabilities in rpc.statd and was released on April 24, 1996. CA-96.10 is not yet assigned. 4 - Careful study of the headers of the message show that it did not originate from CERT/CC (ie, @cert.org). Dennis Jackson tel: 01235 822340 JANET-CERT Coordinator fax: 01235 822398 UKERNA cert@cert.ja.net -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMY9vBesUbum/6+3dAQEqbQP/ZLAv2N31ugnzBGbHRpYa0114MVO2EdiQ fjD1Bl0Niqrmf3lban4kHF4w8oBSzyUQaqblVCJZC6JCFOgnPM+NNskfafL9ZecZ t7MYH+x9YO2HlJYwSgYaZv1Lq7LT3DQ0LUOAy3PIUUh2fCdr5lEd5K4lWp+E67rK sOj5R9S7GYc= =MP6Q -----END PGP SIGNATURE-----