From owner-freebsd-security  Wed Oct  9 13:28:30 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3E28537B401
	for <freebsd-security@FreeBSD.ORG>; Wed,  9 Oct 2002 13:28:28 -0700 (PDT)
Received: from post.kyx.net (s216-232-31-82.bc.hsia.telus.net [216.232.31.82])
	by mx1.FreeBSD.org (Postfix) with ESMTP id CD22743E4A
	for <freebsd-security@FreeBSD.ORG>; Wed,  9 Oct 2002 13:28:27 -0700 (PDT)
	(envelope-from dr@kyx.net)
Content-Type: text/plain;
  charset="iso-8859-1"
From: Dragos Ruiu <dr@kyx.net>
Reply-To: dr@kyx.net
Organization: all terrain ninjas
To: freebsd-security@FreeBSD.ORG
Subject: Re: Sendmail trojan...?
Date: Wed, 9 Oct 2002 13:27:18 +0000
X-Mailer: KYX CP/M FNORD 5602
References: <3DA3AE76.1070006@deevil.homeunix.org> <20021009142546.GA27227@darkstar.doublethink.cx> <20021009080341.A26616@zardoc.esmtp.org>
In-Reply-To: <20021009080341.A26616@zardoc.esmtp.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200210091327.18139.dr@kyx.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On October 9, 2002 03:03 pm, Claus Assmann wrote:
> On Wed, Oct 09, 2002, Chris Faulhaber wrote:
> > Yes, the source in the tree has been verified against the
> > signed tarball; plus, it was the configure script that was
> > backdoored which buildworld does not use.
>
> It was not the configure script. I'm wondering who came up with
> this rumor; please stop spreading it.

Where is the best collection of forensic information about
this so the method can be understood and effects checked=20
for? The CERT advisory mentioned trojaned versions "contain
malicious code that is run during the process of building the
software." It was less than illuminating about the method
after that.

thanks,
--dr

--=20
dr@kyx.net   pgp: http://dragos.com/kyxpgp
Advance CanSecWest/03 registration available: http://cansecwest.com
"The question of whether computers can think is like the question
  of whether submarines can swim." --Edsger Wybe Dijkstra 1930-2002


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message