It seems that we have YET ANOTHER trojan in an open-source project. This time it's fragrouter.


Date: Mon, 21 Oct 2002 09:31:21 -0400 (EDT)
Subject: fragrouter trojan

On October 18, was compromised and a trojan was placed at
MD5 (fragrouter-1.7.tar.gz) = 8329c34704287a1fb1e5d6f1ba81f456

After being notified by Hank Leininger on October 19, it was subsequently

This release of fragrouter 1.7 is COMPLETELY BOGUS. fragrouter has not
been actively maintained for 3 years (1.6 being the last proper release),
and has since been obsoleted by fragroute. The attacker even went to
the lengths of creating a fake CHANGELOG entry, but only adding the
trojan code.

The trojan itself is very similar to those recently found in irssi,
fragroute, BitchX, OpenSSH, and Sendmail. Embedded in the configure
script is a C program that will remotely bind a shell. An interesting
addition to this version is that it will dynamically decide which IP
address in which to connect the shell by grabbing text from a URL, in
this case:

Contained in this file is the string 'IPDATA210.224.164.100', so it
would connect to TCP port 6667 on The owner has been
contacted and this port is currently closed. Thanks again to Hank
for the initial analysis.
Full article, including a diff against fragrouter 1.6, is here