Date: Mon, 21 Oct 2002 09:31:21 -0400 (EDT)
From:
[email protected]
To:
[email protected]
Subject: fragrouter trojan
On October 18,
www.anzen.com was compromised and a trojan was placed at
http://www.anzen.com/archive/researc...ter-1.7.tar.gz
MD5 (fragrouter-1.7.tar.gz) = 8329c34704287a1fb1e5d6f1ba81f456
After being notified by Hank Leininger on October 19, it was subsequently
removed.
This release of fragrouter 1.7 is COMPLETELY BOGUS. fragrouter has not
been actively maintained for 3 years (1.6 being the last proper release),
and has since been obsoleted by fragroute. The attacker even went to
the lengths of creating a fake CHANGELOG entry, but only adding the
trojan code.
The trojan itself is very similar to those recently found in irssi,
fragroute, BitchX, OpenSSH, and Sendmail. Embedded in the configure
script is a C program that will remotely bind a shell. An interesting
addition to this version is that it will dynamically decide which IP
address in which to connect the shell by grabbing text from a URL, in
this case:
http://www.anzen.com/images/anzen-title_r3_f2_c4.jpg
Contained in this file is the string 'IPDATA210.224.164.100', so it
would connect to TCP port 6667 on 210.224.164.100. The owner has been
contacted and this port is currently closed. Thanks again to Hank
for the initial analysis.
Reply With Quote