10 October 2002 Hackers have compromised the source code for Sendmail, the popular open source email server application, to enable intruders to launch malicious attacks on networks running the software, according to the US government-funded Internet security watchdog CERT.

CERT said the hackers had replaced key software on the Sendmail consortium’s download server with a malicious Trojan-Horse program, which is activated when the source code is used to compile the email application. “An intruder operating from the remote address specified in the malicious code can gain unauthorised access to any host that compiled a version of Sendmail from this Trojan horse version of the source code,” said CERT.

However, CERT’s latest analysis of the altered Sendmail is different to the warning it delivered a couple of days earlier. At that time, CERT said that the Trojan Horse left a back-door in the Sendmail package, instead of affecting the download server as it revealed yesterday.

It is believed that hackers attacked the Sendmail.org file transfer protocol (FTP) server. As a result, users that downloaded the software from the Sendmail.org FTP server would receive a compromised copy of the code about 10% of the time, said CERT.

But not all users of Sendmail are vulnerable. According to CERT, the Trojan Horse only affects source code for version 8.12.6 of Sendmail downloaded between 28 September 2002 and 6 October 2002. The Sendmail development team disabled the FTP server on 6 October.

CERT has advised organisations that have recently downloaded a copy of the Sendmail distribution to verify the authenticity of their distribution channel. In fact, they have recommended that users inspect any software they might have downloaded from the compromised Sendmail.org site.