I contaced Eli Klein <elijah@firstlink.com> earlier today regarding this. It would appear he was unaware (Or says this) that his server was used in this attack (He runs spatula.aclue.com, the server that was used in the back door). I was kind of amazed CERT or Sendmail or anyone for that matter hadn't tried to contact him. It would be apparent that the interest in actually figuring out who hacked Sendmail's ftp site, is little to none. Unless of course they were just assuming someone was trying to frame Mr. Klein :P Anyhow, I have made the backdoor'd sendmail code available at http://www.enzotech.net/files/sm.backdoor.patch and the base64 portion is decoded at http://www.enzotech.net/files/sm.backdoor.base64.txt The service running on spatula.aclue.com on port 6667 has since been shut down, but apparentely not by the Administrator. It would be nice if Sendmail could provide stats on how many people were affected, and if the maintainer of that box can provide proper forensics to determine what activity went on. netmask of enZo http://www.enZotech.net > Dave Ahmad (da@securityfocus.com) composed today: > > > David Mirza Ahmad > Symantec > KeyID: 0x26005712 > Fingerprint: 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 >
