Snort mailing list archives

News of tcpdump and libcap hacks

From: "Gregory W. Ratcliff" <nz8r () att net>
Date: Sat, 16 Nov 2002 01:23:32 -0500


Snort Users,

Be careful where your source comes from!


Greg Ratcliff
Argusnetsec.com

***************************************************

Linux utility site hacked, infected
By Patrick Gray 
ZDNet Australia
November 14, 2002, 6:31 AM PT
URL: http://zdnet.com.com/2100-1105-965800.html 
The download site for two very common Linux based utilities,
tcpdump.org, was hacked into on Nov. 11, and the software available for
download was modified to contain Trojan Horse code. 

This Trojan Horse, or "back door" software allows the hacker that wrote
it to access any machine on which the modified software is run. 

The two software items affected are tcpdump and libpcap, tools commonly
used in information security applications. Some Intrusion Detection
System (IDS) software requires libpcap. 

This is the most recent in a string of similar attacks. Sendmail, one of
the most widely used e-mail server software packages, was also
"trojaned" recently. Others affected in recent months have included
OpenSSH, the secure remote access software, and even Fragroute, a hacker
utility. 

The identity of the hacker conducting this campaign is unknown, as is
whether a connection exists between the separate incidents. 

CERT released an advisory in which they ".encourage sites using libpcap
and tcpdump to verify the authenticity of their distribution, regardless
of where it was obtained." 

CERT provided the information necessary to determine the authenticity of
any libpcap or tcpdump software recently downloaded. The advisory also
encourages users to verify all software before installing it. "As a
matter of good security practice, the CERT/CC encourages users to
verify, whenever possible, the integrity of downloaded software."



-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

error configure --with-snmp Michael J. McCasland (Nov 15)
- Re: error configure --with-snmp Phil Wood (Nov 15)
  - Re: error configure --with-snmp Michael J. McCasland (Nov 15)
  - News of tcpdump and libcap hacks Gregory W. Ratcliff (Nov 15)
- Re: error configure --with-snmp Andrew R. Baker (Nov 17)
  - Re: error configure --with-snmp Michael J. McCasland (Nov 17)
- <Possible follow-ups>
- Re: error configure --with-snmp Justin Jessup (Nov 16)
- Re: error configure --with-snmp Justin Jessup (Nov 17)