1 |
On Thu, 2002-08-01 at 11:37, Rob Kaper wrote: |
2 |
> Pat, Neil, Gentoo devs, KDE friends: |
3 |
> |
4 |
> >From #kde-freebsd: |
5 |
> |
6 |
> <knu> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz is trojaned |
7 |
> <tap> nothing on google either |
8 |
> <knu> steals /etc/passwd to send to a certain IRC network and removes itself |
9 |
> <Capzilla> knu : says who |
10 |
> <knu> see the code, but never run make |
11 |
> <knu> openbsd-compat/{Makefile.in,bf-test.c} |
12 |
> |
13 |
> Looks like some weird stuff is in there indeed. |
14 |
> |
15 |
> md5sum of the binary that appears to be trojaned: |
16 |
> |
17 |
> 3ac9bc346d736b4a51d676faa2a08a57 openssh-3.4p1.tar.gz |
18 |
> |
19 |
> As far as I can see, compiled binaries are *not* affected, but you might |
20 |
> want to carefully examin this more closely (I'm waiting with upgradepkg en |
21 |
> emerge on my systems until there's some more info). We've had a few hoaxes |
22 |
> recently, but this looks suspicious. |
23 |
> |
24 |
> My apologies if this is just a storm in a glass of water. |
25 |
> |
26 |
> Rob |
27 |
> -- |
28 |
> Rob Kaper | Gimme some love, gimme some skin, |
29 |
> cap@×××××.com | if we ain't got that then we ain't got much |
30 |
> www.capsi.com | and we ain't got nothing, nothing! -- "Nothing" by A |
31 |
> _______________________________________________ |
32 |
> gentoo-dev mailing list |
33 |
> gentoo-dev@g.o |
34 |
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev |
35 |
> |
36 |
It's indeed looks like a trojan. It doesn't send you'r etc/passwd tho. |
37 |
It connects to the 203.62.158.32[web.snsonline.net.] port 6667[irc] |
38 |
and opens shell session on that connection, so that whoever is in |
39 |
control there will be able to execute arbitraty commands on your system |
40 |
with you'r current privileges. especialy dangerouus if you compile as |
41 |
root. |
42 |
|
43 |
/Vitaly. |