[H-GEN] Openssh trojan

Snowy Angelique Maslov aka 'Snowpony' snowy at snowy.org
Thu Aug 1 22:28:58 EDT 2002 

[ Humbug *General* list - semi-serious discussions about Humbug and     ]
[ Unix-related topics. Posts from non-subscribed addresses will vanish. ]

On Fri, 2 Aug 2002, Robert Brockway wrote:

> Date: Fri, 2 Aug 2002 09:45:33 +1000 (EST)
> From: Robert Brockway <robert at timetraveller.org>
> Reply-To: general at lists.humbug.org.au
> To: general at lists.humbug.org.au
> Subject: Re: [H-GEN] Openssh trojan
>
> [ Humbug *General* list - semi-serious discussions about Humbug and     ]
> [ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
>
> On Fri, 2 Aug 2002, Robert Brockway wrote:
>
> > [ Humbug *General* list - semi-serious discussions about Humbug and     ]
> > [ Unix-related topics. Posts from non-subscribed addresses will vanish. ]
> >
> > Hi all.  OpenSSH versions 3.2.2p1, 3.4p1 and 3.4 have a trojan.  This is a
>
> Sorry, should have said "may" have a trojan.  The bad code was reportedly
> inserted on July 30 or 31 and spotted on Aug 1.  Only compiles occuring in
> that time should be exploitable.

In particular the code lies in the bf-test.c which is executed and
backgrounded whilst you are compiling.  It is a simple backdoor program which
connects roughly once an hour to 203.62.158.32:6667 (web.snsonline.net).  The
code itself understands the following commands:

Command A:  Kill the exploit.
Command D:  Execute a command.
Command M:  Go to sleep.

Check your files - they should have the following to NOT be the trojaned
versions:

MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
MD5 (openssh-3.4p1.tar.gz.sig) = d5a956263287e7fd261528bb1962f24c
MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2
MD5 (openssh-3.2.2p1.tar.gz) = 9d3e1e31e8d6cdbfa3036cb183aa4a01
MD5 (openssh-3.2.2p1.tar.gz.sig) = be4f9ed8da1735efd770dc8fa2bb808a

-- 
Snowy Angelique Maslov aka Snowpony   My [ www.vulpine.pp.se/cgi-bin/furcode ]
 |\=  http://www.snowy.org/          Art FEHuw3acdm A+ C- Dm++ H+++ M++++ P+++
- - = http://www.furryfaire.org/    Life R++ T+++ W- Z++ Sf# RLCT/M a cbu++++$
'-    http://www.anthrocon.org/   Dreams d- e+ f+++ h+ iwf+++$ j+ p* f#
[----------------------------------------------------------------------------]
[              UNSOLICITED COMMERCIAL EMAIL MESSAGE NOTICE                   ]
[ A reading fee of $25.00US will be charged for any commercial email sent to ]
[ this email account without prior consent given for such material.          ]
[----------------------------------------------------------------------------]


--
* This is list (humbug) general handled by majordomo at lists.humbug.org.au .
* Postings to this list are only accepted from subscribed addresses of
* lists 'general' or 'general-post'.  See http://www.humbug.org.au/

More information about the General mailing list