Re: [tcpdump-announce] initial comments on trojan attack

[David Young <dyoung () ojctech com>]

Michael,

What was the key added to your authorized_keys file? I fear that one of
my client's hosts has been compromised, too....

Dave

On Fri, Nov 15, 2002 at 07:40:47PM -0500, Michael Richardson wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
>
>
> 1) the machine hosting cvs.tcpdump.org was likely compromised 
>    between Nov. 7th and Nov. 10th at 18:24pm.
>
>    The method was likely through an unpatched openssh daemon.
>    (The rest of my servers run SSH.com)
>    I have not yet confirmed this for sure.
>
> 2) an additional public key was added to the .ssh/authorized_keys
>    file for my account. This account was used to install the trojan
>    files at 10:14am, Monday Nov. 11. 
>
> 3) The machine was taken offline around 11am Wednesday Nov. 13th.
>    The machine is also my mail relay, and stealth DNS primary for
>    unsigned (non-DNSSEC) zones. 
>    As such, the machine has been left on, with no default route,
>    but able to exchange DNS and SMTP with others.
>
> 4) I have examined the mirrors and confirmed that many mirror operators
>    did not take the code offline. Therefore, I've restored the proper
>    files, and restored connectivity to the mirror sites.
>
>    The restored files are from my laptop.
>    The md5sum of the files on my laptop match those provided by CERT,
>    and the files on sourceforge.net.
>
>    I have additional signed the files with my key. We will generate
>    a key for really doing this.
>
>    I have not restored 3.6.2, as I haven't yet tracked a perfect copy
>    of this, but will soon.
>
> 5) I will edit the web site soon to provide this information.
>
> 6) I think that we should release a 3.7.1b or .2 or something, no
>    code change, just to flush things out.
>
> 7) the machine will get flushed (i.e. reformatted) when I return from
>    Atlanta/IETF. I expect to limp along until then in this configuration.
>    This means that there will be no anon-cvs, and no SSH access.
>
> ]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
> ]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
> ] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[
> ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (GNU/Linux)
> Comment: Finger me for keys
>
> iQCVAwUBPdWUDYqHRg3pndX9AQEfOwP5AeHn5F0+mML8l1mlKTSGPbRDE+0Q6t3N
> lnUn9+nnmchT/ULyI4ayMGpVkjWfg/DUN/ShuLqjn72jFKLgxqt5DVo6Zy1ASoeu
> o6GXrQEPuG6diBW1s6AMnRyAKUxNB+Dr9Wqun+OzXhO+VNgRx6j4M39ckdltzG17
> QeG26TVMq70=
> =wGS3
> -----END PGP SIGNATURE-----
> -
> This is the TCPDUMP announcement list. It is archived at
> http://www.tcpdump.org/lists/announce/maillist.html
> To unsubscribe use mailto:tcpdump-announce-request () tcpdump org?body=unsubscribe
> -
> This is the TCPDUMP workers list. It is archived at
> http://www.tcpdump.org/lists/workers/index.html
> To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe

-- 
David Young             OJC Technologies
dyoung () ojctech com      Engineering from the Right Brain
                        Urbana, IL * (217) 278-3933
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe