OpenSSH package on openbsd.org trojaned
Results 1 to 5 of 5

Thread: OpenSSH package on openbsd.org trojaned

  1. #1
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103

    Exclamation OpenSSH package on openbsd.org trojaned

    Edwin Groothuis reports in this FreeBSD Security Mailinglist post that the OpenSSH package on ftp.openbsd.org, and possibly all mirrors, is trojaned. Makefile.in has been modified, an generates a shell-script that tries to connect to 203.62.158.32:6667 (web.snsonline.net).

    This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports system:
    MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8

    This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
    MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  2. #2
    Member
    Join Date
    May 2002
    Posts
    31

    beat me to it

    Here's some more information on the trojan.

    i did an analysis on the trojan horse that was hidden
    in the recent portable version of openssh (3.4p1)
    it could be found(and still can be) on ftp.openbsd.org
    and his mirrors.

    in openssh-3.4p1/openbsd-compat a c-file "bf-test.c" has been added
    it tells you it has to check for correct handling in HP-UX PL.2
    systems .. which is in fact 100% rubbish
    [PL.1 has been horrible .. so what could PL.2 be? :-]

    in openssh-3.4p1/openbsd-compat "Makefile.in" has been edited to
    respect these changes

    when running make "bf-test.c" compiles to a program which has a
    shell-script as output

    the shellscript outputs a c-programm and trys really hard to get it
    compiled .. and run

    the c-programm connects to a computer in australia(203.62.158.32)
    and starts a shell locally if asked by the other computer
    [ i have not started this programm .. but the server seems
    to have closed the port 6667(could be a firewall in between though)
    {this computer probably has been attacked beforehand}]

    in my opinion this is a really serious attack
    . as i have to say:
    1.) i do not often check signatures an packets i install
    1.a) especialy i wouldn't have thought about the possibility
    that someone might be able to get access to ftp.openbsd.org
    (ok this is a sun-os machine at the university of alberta)
    2.) i normaly run make on a computer reachable by the net
    3.) sometimes one is lazy and just runs make && make install as root

    christian bahls

    Got it from bugtraq

  3. #3
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    Hmpfr. The original mailinglist-item seems to have dissapeared. Here are some new, working links:

    OpenSSH Security Advisory (adv.trojan)
    CERTŪ Advisory CA-2002-24 Trojan Horse OpenSSH Distribution
    Mirror of Groothuis' letter
    Almighty Google
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  4. #4
    Okay.... This is just 1 week old news........

  5. #5
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,884
    OpenSSH package on openbsd.org trojaned posted 08-01-2002 06:17 AM
    Gee, maybe that is why it was posted a week ago...... it was just an update to the original post...
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •