Just so you folk using wuarchive's super ftpd know about this...

------- Forwarded Message

Subject: Re: wuarchive ftpd Trojan
Newsgroups: alt.security,comp.security.misc,comp.security.unix,comp.unix.admin
In-Reply-To: <2nutuq$q5d@anshar.shadow.net>
Organization: Iowa State University, Ames, Iowa (USA)

In article <2nutuq$q5d@anshar.shadow.net> you write:
}
}Well, finally has happened again. a major program has been trojaned.
}
}CERT advisory as always lacks any concrete information about it
}other than to say, you need to get the newest version.  
}
}It might be more useful to say what the trojan was.  or how 
}it was implemented because How do I know some intruder stick
}his trojan into the newest version of wu-ftp and sendmail as well?
}
}Id like to point out that 8lgm (Karl Strickland and Neil Woods)
}were contributors to the fact that CERT released this advisory.
}
}
}
}
}
}From cert-advisory-request@cert.org Wed Apr  6 13:37:03 1994
}Received: from cert.org (cert.org [192.88.209.5]) by shadow.net (8.6.8.1/jc-1.0) with SMTP id NAA26148 for <cklaus@shadow.net>; Wed, 6 Apr 1994 13:37:02 -0400
}Received: from clorets.cert.org by cert.org (4.1/cert-5.2)
}        id AA00802; Wed, 6 Apr 94 13:21:26 EDT
}Received: by clorets.cert.org (5.65/2.5)
}        id AA02450; Wed, 6 Apr 94 12:54:39 -0400
}Message-Id: <9404061654.AA02450@clorets.cert.org>
}From: CERT Advisory <cert-advisory-request@cert.org>
}Date: Wed, 6 Apr 94 12:51:16 EDT
}To: cert-advisory@cert.org
}Subject: CERT Advisory - wuarchive ftpd Trojan Horse
}Organization: Computer Emergency Response Team : 412-268-7090
}Status: OR
}
}=============================================================================
}CA-94:07                         CERT Advisory
}                                 April 6, 1994
}                          wuarchive ftpd Trojan Horse
}-----------------------------------------------------------------------------
}
}The CERT Coordination Center has received confirmation that some copies
}of the source code for the wuarchive FTP daemon (ftpd) were modified by 
}an intruder, and contain a Trojan horse.
}
}We strongly recommend that any site running the wuarchive ftpd take steps 
}to immediately install version 2.3, or disable their FTP daemon.
}
}-----------------------------------------------------------------------------
}
}I.   Description
}
}     Some copies of the source code for versions 2.2 and 2.1f of the 
}     wuarchive ftpd were modified by an intruder, and contain a Trojan
}     horse.  If your FTP daemon was compiled from the intruder-modified 
}     source code, you are vulnerable.
}
}     It is possible that previous versions of the source code for the server 
}     were modified in a similar manner.
}
}     If you are running the wuarchive ftpd, but not providing anonymous FTP 
}     access, you are still vulnerable to this Trojan horse.
}
}
}II.  Impact
}
}     An intruder can gain root access on a host running an FTP daemon 
}     that contains this Trojan horse.
}
}
}III. Solution
}
}     We strongly recommend that any site running the wuarchive ftpd (version 
}     2.2 or earlier) take steps to immediately install version 2.3. 
}
}     If you cannot install the new version in a timely manner, you should 
}     disable FTP service.  It is not sufficient to disable anonymous FTP.  
}     You must disable the FTP daemon. 
}
}     Sites can obtain version 2.3 via anonymous FTP from ftp.uu.net, in the 
}     "/networking/ftp/wuarchive-ftpd" directory.  We recommend that you turn
}     off your FTP server until you have installed the new version.  
}
}     Be certain to verify the checksum information to confirm that you have
}     retrieved a valid copy.
}
}                        BSD        SVR4         
}     File               Checksum   Checksum    MD5 Digital Signature
}     -----------------  --------   ---------   --------------------------------
}     wu-ftpd-2.3.tar.Z  24416 181  30488 361   e58adc5ce0b6eae34f3f2389e9dc9197
}
}
}---------------------------------------------------------------------------
}The CERT Coordination Center wishes to thank Bryan O'Connor and Chris Myers 
}of Washington University in St. Louis for their invaluable assistance in 
}resolving this problem.  CERT also gratefully acknowledges the help of
}Neil Woods and Karl Strickland.
}---------------------------------------------------------------------------
}
}If you believe that your system has been compromised, contact the CERT
}Coordination Center or your representative in the Forum of Incident
}Response and Security Teams (FIRST).
}
}If you wish to send sensitive incident or vulnerability information to 
}CERT via electronic mail, CERT strongly advises that the e-mail be encrypted.
}CERT can support a shared DES key, PGP (public key available via
}anonymous FTP on info.cert.org), or PEM (contact CERT for details).
}
}Internet E-mail: cert@cert.org
}Telephone: 412-268-7090 (24-hour hotline)
}           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
}           and are on call for emergencies during other hours.
}
}CERT Coordination Center
}Software Engineering Institute
}Carnegie Mellon University
}Pittsburgh, PA 15213-3890
}
}Past advisories, information about FIRST representatives, and other
}information related to computer security are available via anonymous
}FTP from info.cert.org.
}
}
}-- 
}Christopher William Klaus  Email: cklaus@shadow.net  Author:Inet Sec. Scanner
}2209 Summit Place Drive,Dunwoody, GA 30350-2430. (404)998-5871.

------- End of Forwarded Message


------------------------------------------------------------------------------