Home page logo

bugtraq logo Bugtraq mailing list archives

[tcpdump-announce] initial comments on trojan attack (fwd)
From: Jonas Eriksson <je () sekure net>
Date: Sat, 16 Nov 2002 11:32:22 +0100 (CET)

---------- Forwarded message ----------
Date: Fri, 15 Nov 2002 19:40:47 -0500
From: Michael Richardson <mcr () sandelman ottawa on ca>
Reply-To: tcpdump-workers () sandelman ottawa on ca
To: tcpdump-announce () tcpdump org
Subject: [tcpdump-announce] initial comments on trojan attack


1) the machine hosting cvs.tcpdump.org was likely compromised
   between Nov. 7th and Nov. 10th at 18:24pm.

   The method was likely through an unpatched openssh daemon.
   (The rest of my servers run SSH.com)
   I have not yet confirmed this for sure.

2) an additional public key was added to the .ssh/authorized_keys
   file for my account. This account was used to install the trojan
   files at 10:14am, Monday Nov. 11.

3) The machine was taken offline around 11am Wednesday Nov. 13th.
   The machine is also my mail relay, and stealth DNS primary for
   unsigned (non-DNSSEC) zones.
   As such, the machine has been left on, with no default route,
   but able to exchange DNS and SMTP with others.

4) I have examined the mirrors and confirmed that many mirror operators
   did not take the code offline. Therefore, I've restored the proper
   files, and restored connectivity to the mirror sites.

   The restored files are from my laptop.
   The md5sum of the files on my laptop match those provided by CERT,
   and the files on sourceforge.net.

   I have additional signed the files with my key. We will generate
   a key for really doing this.

   I have not restored 3.6.2, as I haven't yet tracked a perfect copy
   of this, but will soon.

5) I will edit the web site soon to provide this information.

6) I think that we should release a 3.7.1b or .2 or something, no
   code change, just to flush things out.

7) the machine will get flushed (i.e. reformatted) when I return from
   Atlanta/IETF. I expect to limp along until then in this configuration.
   This means that there will be no anon-cvs, and no SSH access.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr () sandelman ottawa on ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

This is the TCPDUMP announcement list. It is archived at
To unsubscribe use mailto:tcpdump-announce-request () tcpdump org?body=unsubscribe

  By Date           By Thread  

Current thread:
  • [tcpdump-announce] initial comments on trojan attack (fwd) Jonas Eriksson (Nov 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]