Vandals hack Sendmail site

NEWS Online vandals hacked into the primary download server for Sendmail.org and replaced key software with a Trojan horse. The attack on Sendmail didn't leave a back door in the popular open-source email software package, as previously believed, but compromised the download software on the Sendmail consortium's primary server so that every tenth request for source code would receive a modified copy in reply. Eric Allman, chief technology officer of Sendmail, which sells a version of the open-source email server program, said: "The exploited code that we see is not in our [development] tree at all. It seemed to be going to the [Sendmail] host, but it was delivering a corrupted file that wasn't on our server anywhere." The problem apparently only affects source code for version 8.12.6 of Sendmail downloaded between 28 September and 6 October, according to an advisory posted by the Computer Emergency Response Team (CERT) Coordination Center on Tuesday. While the Sendmail development group is only just starting its forensic analysis of the computer that hosted the files, Allman said its current theory is that the FTP server had been hacked. If a user tried to download the latest Sendmail source code from the ftp.sendmail.org server, a compromised copy of the code would be sent instead about 10 per cent of the time. "It was a little bizarre that way," said Allman. If the evidence confirms the theory, the hack would definitely be a strange way to compromise a downloadable file, said Marc Maiffret, chief hacking officer for security software firm eEye Digital Security. "I'm not sure why they would want to do that," he said. A Trojan horse is a program that appears to be a legitimate piece of software but in fact has unwanted functions that allow a company or hacker to access the victim's computer. The FTP server compromised by this attack apparently provided people who requested downloads not with the Sendmail source file, but with a Trojan-horse copy. This copy included a non-Sendmail test component that, when compiled, started a program that opens a covert channel to another server on the internet. That server has since been configured to block the covert connection, according to messages posted to the Bugtraq security list. According to Sendmail's Allman, taking into account the one-in-10 ratio, about 200 people may have downloaded the corrupted software over the eight-day period. Robert Lemos writes for News.com