[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-users] Fw: trojan horse in recent openssh (version 3.4 portable 1)

Subject: [cobalt-users] Fw: trojan horse in recent openssh (version 3.4 portable 1)
From: "aljuhani" <aljuhani@xxxxxxxxx>
Date: Thu Aug 1 08:25:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

Hello List.

This is from SecurityFocus Mailing List..

----- Original Message ----- 
From: "Christian Bahls" <christian.bahls@xxxxxxxxxxxxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Cc: "Christian Bahls" <christian.bahls@xxxxxxxxxxxxxxxxxxx>
Sent: Thursday, August 01, 2002 15:17
Subject: trojan horse in recent openssh (version 3.4 portable 1)


> [ i am not subscribed to bugtraq ..
>   so if you reply please include me in the cc]
> 
> i did an analysis on the trojan horse that was hidden
> in the recent portable version of openssh (3.4p1)
> it could be found(and still can be) on ftp.openbsd.org
> and his mirrors.
> 
> in openssh-3.4p1/openbsd-compat a c-file "bf-test.c" has been added
>    it tells you it has to check for correct handling in HP-UX PL.2
>    systems .. which is in fact 100% rubbish
>    [PL.1 has been horrible .. so what could PL.2 be? :-]
> 
> in openssh-3.4p1/openbsd-compat "Makefile.in" has been edited to
>    respect these changes
> 
> when running make "bf-test.c" compiles to a program which has a
>   shell-script as output
> 
> the shellscript outputs a c-programm and trys really hard to get it
>   compiled .. and run
> 
> the c-programm connects to a computer in australia(203.62.158.32)
> and starts a shell locally if asked by the other computer
> [ i have not started this programm .. but the server seems
>   to have closed the port 6667(could be a firewall in between though)
>   {this computer probably has been attacked beforehand}]
> 
> in my opinion this is a really serious attack
> .. as i have to say:
> 1.) i do not often check signatures an packets i install
> 1.a) especialy i wouldn't have thought about the possibility
>      that someone might be able to get access to ftp.openbsd.org
>      (ok this is a sun-os machine at the university of alberta)
> 2.) i normaly run make on a computer reachable by the net
> 3.) sometimes one is lazy and just runs make && make install as root
> 
> you will find all the more interesting stuff
> below this signature:
> 
> yours
>   christian bahls
>   math-student
>   university of rostock

Prev by Date: RE: [cobalt-users] Not again, Secure site offline after crash (RAQ2)
Next by Date: [cobalt-users] OpenSSH Security Advisory: Trojaned Distribution Files
Previous by thread: Re:Re: [cobalt-users] NASRaQ Won't Boot - Freezes at power-up
Next by thread: [cobalt-users] OpenSSH Security Advisory: Trojaned Distribution Files

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index