mailing list archives
[tcpdump-announce] initial comments on trojan attack (fwd)
From: Jonas Eriksson <je () sekure net>
Date: Sat, 16 Nov 2002 11:32:22 +0100 (CET)
---------- Forwarded message ----------
Date: Fri, 15 Nov 2002 19:40:47 -0500
From: Michael Richardson <mcr () sandelman ottawa on ca>
Reply-To: tcpdump-workers () sandelman ottawa on ca
To: tcpdump-announce () tcpdump org
Subject: [tcpdump-announce] initial comments on trojan attack
-----BEGIN PGP SIGNED MESSAGE-----
1) the machine hosting cvs.tcpdump.org was likely compromised
between Nov. 7th and Nov. 10th at 18:24pm.
The method was likely through an unpatched openssh daemon.
(The rest of my servers run SSH.com)
I have not yet confirmed this for sure.
2) an additional public key was added to the .ssh/authorized_keys
file for my account. This account was used to install the trojan
files at 10:14am, Monday Nov. 11.
3) The machine was taken offline around 11am Wednesday Nov. 13th.
The machine is also my mail relay, and stealth DNS primary for
unsigned (non-DNSSEC) zones.
As such, the machine has been left on, with no default route,
but able to exchange DNS and SMTP with others.
4) I have examined the mirrors and confirmed that many mirror operators
did not take the code offline. Therefore, I've restored the proper
files, and restored connectivity to the mirror sites.
The restored files are from my laptop.
The md5sum of the files on my laptop match those provided by CERT,
and the files on sourceforge.net.
I have additional signed the files with my key. We will generate
a key for really doing this.
I have not restored 3.6.2, as I haven't yet tracked a perfect copy
of this, but will soon.
5) I will edit the web site soon to provide this information.
6) I think that we should release a 3.7.1b or .2 or something, no
code change, just to flush things out.
7) the machine will get flushed (i.e. reformatted) when I return from
Atlanta/IETF. I expect to limp along until then in this configuration.
This means that there will be no anon-cvs, and no SSH access.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys
-----END PGP SIGNATURE-----
This is the TCPDUMP announcement list. It is archived at
To unsubscribe use mailto:tcpdump-announce-request () tcpdump org?body=unsubscribe
- [tcpdump-announce] initial comments on trojan attack (fwd) Jonas Eriksson (Nov 19)