tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

[tcpdump-announce] November Trojan incident

From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Fri, 06 Dec 2002 15:30:55 -0500
-----BEGIN PGP SIGNED MESSAGE-----


http://www.sandelman.ca/SSW/incidents/2002-november.shtml

Report on incident 2002/11/10 on www.tcpdump.org

   Between November 7th and November 10th, there was an intrusion on
   lox.sandelman.ca, aka cvs.tcpdump.org. It likely occured thru either
   Apache+SSL (openssl was not patched. I thought I'd just turned SSL
   off), or via openssh.

   The attack resulted in the addition of a public key to several SSH
   authorized_keys files, including mine.

   On November 11th, around 10am a trojan copy of tcpdump 3.7.2 and
   libpcap 0.6.2 was installed using my account. This was discovered on
   November 12th by some Linux users in Houston, and slashdotted that
   night. I received notification from an Australian mirror of the furor
   by phone on Wednesday November 13th, unfortunately, after I'd just
   travelled to Atlanta for IETF55.

   On the afternoon of November 13th, lox.sandelman.ca was quarantined -
   the default route was removed, with selective connectivity enabled for
   specific uses. (It is my mail relay/pop mailbox server, afterall)

   On November 15th, proper tcpdump.org files were put online again. The
   machine remained quarantined until I knew that I'd be home long enough
   to watch it.

   The machine was upgraded to NetBSD 1.6 on December 2nd and 3rd, with
   some additional patches applied already. The default route was
   restored on December 3rd at 16:00.

   Other machines have been audited and no other situations have been
   seen. In general, there were too many eggs on that machine - it made
   it very hard to upgrade in a timely manner. There are plans to
   distribute the work a little more. These plans are not new - alas.

   If there are services (other than list searches, which continue to be
   broken) which you expect to have returned, then please let me know.
     _________________________________________________________________


]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPfEI+4qHRg3pndX9AQGS/wP/XPBO+bayY+FlIhF+CFd/tktxIzWCHB8m
LPfye4w3xTBywUbq/eg18KLwnL7Pkf3UcIaHQ76ktDAqeWHVbN+HsAWNXqHqbZx0
WtqGKJwA21hAAqSOOmhdX09rARY+wtLWs8xHt4mqvTkliv3bvn2wx0afU7M+oNJ2
hu7v66aaQNk=
=jF4f
-----END PGP SIGNATURE-----
-
This is the TCPDUMP announcement list. It is archived at
http://www.tcpdump.org/lists/announce/maillist.html
To unsubscribe use mailto:tcpdump-announce-request () tcpdump org?body=unsubscribe
-
This is the TCPDUMP workers list. It is archived at
http://www.tcpdump.org/lists/workers/index.html
To unsubscribe use mailto:tcpdump-workers-request () tcpdump org?body=unsubscribe
Previous By Date Next
Previous By Thread Next

Current thread: