CVE-1999-0661
published 1999-01-01CVE-1999-0661: A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux…
PriorityP348critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
54.24%
98.9th percentile
A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) util-linux 2.9g, (3) wuarchive ftpd (wuftpd) 2.2 and 2.1f, (4) IRC client (ircII) ircII 2.2.9, (5) OpenSSH 3.4p1, or (6) Sendmail 8.12.6.
Detection & IOCsextracted from sources · hover to see the quote
- →Trojanized sendmail 8.12.6 source was available on ftp.sendmail.org between September 28, 2002 and October 6, 2002; HTTP distribution was not affected. Verify downloaded archives against the published MD5 checksums. ↗
- →The backdoor executes at compile time (build-time trojan) by injecting a shell script into the configure/test phase that compiles and runs a reverse-connect binary targeting 66.37.138.99:6667. ↗
- →The malicious modification is isolated to libsm/t-shm.c; diff the file against the clean release and look for the added shm64() call and sm_base64_data[] array containing the encoded payload. ↗
- ·Only sendmail source downloaded via FTP from ftp.sendmail.org in the affected window is trojaned; HTTP distributions from the Sendmail Consortium site are clean. ↗
- ·The C2 listener on port 6667 of spatula.aclue.com was reportedly disabled at time of disclosure, but the trojan binary still attempts the connection and should be treated as active infrastructure for detection purposes. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=102820843403741&w=2http://marc.info/?l=bugtraq&m=102821663814127&w=2http://online.securityfocus.com/archive/1/294539http://www.cert.org/advisories/CA-1994-07.htmlhttp://www.cert.org/advisories/CA-1994-14.htmlhttp://www.cert.org/advisories/CA-1999-01.htmlhttp://www.cert.org/advisories/CA-1999-02.htmlhttp://www.cert.org/advisories/CA-2002-28.htmlhttp://www.iss.net/security_center/static/10313.phphttp://www.securityfocus.com/bid/5921http://marc.info/?l=bugtraq&m=102820843403741&w=2http://marc.info/?l=bugtraq&m=102821663814127&w=2http://online.securityfocus.com/archive/1/294539http://www.cert.org/advisories/CA-1994-07.htmlhttp://www.cert.org/advisories/CA-1994-14.htmlhttp://www.cert.org/advisories/CA-1999-01.htmlhttp://www.cert.org/advisories/CA-1999-02.htmlhttp://www.cert.org/advisories/CA-2002-28.htmlhttp://www.iss.net/security_center/static/10313.phphttp://www.securityfocus.com/bid/5921
1999-01-01
Published