OpenSSH package on openbsd.org trojaned

Printable View

August 1st, 2002, 11:17 AM
Guus

OpenSSH package on openbsd.org trojaned

Edwin Groothuis reports in this FreeBSD Security Mailinglist post that the OpenSSH package on ftp.openbsd.org, and possibly all mirrors, is trojaned. Makefile.in has been modified, an generates a shell-script that tries to connect to 203.62.158.32:6667 (web.snsonline.net).

This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports system:
MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8

This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57
August 1st, 2002, 04:19 PM
g0t r00t

beat me to it

Here's some more information on the trojan.

Quote:

i did an analysis on the trojan horse that was hidden
in the recent portable version of openssh (3.4p1)
it could be found(and still can be) on ftp.openbsd.org
and his mirrors.

in openssh-3.4p1/openbsd-compat a c-file "bf-test.c" has been added
it tells you it has to check for correct handling in HP-UX PL.2
systems .. which is in fact 100% rubbish
[PL.1 has been horrible .. so what could PL.2 be? :-]

in openssh-3.4p1/openbsd-compat "Makefile.in" has been edited to
respect these changes

when running make "bf-test.c" compiles to a program which has a
shell-script as output

the shellscript outputs a c-programm and trys really hard to get it
compiled .. and run

the c-programm connects to a computer in australia(203.62.158.32)
and starts a shell locally if asked by the other computer
[ i have not started this programm .. but the server seems
to have closed the port 6667(could be a firewall in between though)
{this computer probably has been attacked beforehand}]

in my opinion this is a really serious attack
. as i have to say:
1.) i do not often check signatures an packets i install
1.a) especialy i wouldn't have thought about the possibility
that someone might be able to get access to ftp.openbsd.org
(ok this is a sun-os machine at the university of alberta)
2.) i normaly run make on a computer reachable by the net
3.) sometimes one is lazy and just runs make && make install as root

christian bahls

Got it from bugtraq
August 7th, 2002, 08:02 AM
Guus

Hmpfr. The original mailinglist-item seems to have dissapeared. Here are some new, working links:

OpenSSH Security Advisory (adv.trojan)
CERT® Advisory CA-2002-24 Trojan Horse OpenSSH Distribution
Mirror of Groothuis' letter
Almighty Google
August 7th, 2002, 03:59 PM
Truti

Okay.... This is just 1 week old news........
August 7th, 2002, 04:08 PM
souleman

Quote:

OpenSSH package on openbsd.org trojaned posted 08-01-2002 06:17 AM

Gee, maybe that is why it was posted a week ago...... it was just an update to the original post...