Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Trojan horse found in OpenSSH
ComputerWorld ^ | AUGUST 02, 2002 | Joris Evers

Posted on 08/02/2002 12:59:37 PM PDT by Bush2000

Trojan horse found in OpenSSH

Several versions of OpenSSH contain a Trojan horse that can allow an attacker to take over a system running the free network connectivity software, the makers of OpenSSH warned in an advisory yesterday. OpenSSH is distributed for free by the OpenBSD project. The SSH protocol is widely used for secure remote terminal connections and file transfers between a client and a server running Unix and its derivatives.

The Trojan horse was discovered in OpenSSH versions 3.2.2p1, 3.4p1 and 3.4. The compromised software was first made available on an official download server on July 30 or 31 and from there likely copied to other download sites, according to the OpenSSH security advisory.

Trojan horse programs install backdoor programs that let attackers gain access to a computer. In this case, the malicious code is run when the OpenSSH software is compiled by the user, according to the advisory. It allows arbitrary commands to be executed with the privileges of the compiling user.

Anyone who installed OpenSSH or offered it for download since July 30 should verify the authenticity of the software. The compromised OpenSSH versions can be identified by their incorrect MD5 checksums and PGP signatures, according to the advisory.

More information on the Trojan horse and how to detect it can be found in an advisory sent out by the Computer Emergence Response Team.


TOPICS: Business/Economy; Technical
KEYWORDS: alreadyfixed; opensourcecrap; openssh; techindex; trojan; virus
Navigation: use the links below to view more comments.
first 1-2021-36 next last
Repeat after me: "Open source means more eyeballs and no opportunity for viruses and trojan horses..."
1 posted on 08/02/2002 12:59:38 PM PDT by Bush2000
[ Post Reply | Private Reply | View Replies]

To: Bush2000
It was found and fixed within about 24-48 hours. Further, it was not a corruption or bug in the source code that was in the central repository of code. It was a hack on a SunSITE server in Alberta, Canada, which does not run OpenBSD but instead runs Solaris, a closed source OS.
2 posted on 08/02/2002 1:06:30 PM PDT by ikka
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Jeez....this is perfect ploy for proprietary protocols to pull.

Makes ya wonder.

More info here

3 posted on 08/02/2002 1:11:27 PM PDT by beckett
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
(Hey, don't blame us for Theo "The Raat" DeRaadt's problems. The guy's practically begging for stuff like this to happen to him. Search Google for "bugtraq GOBBLES" for more information...)

Interesting side note - It was a checksumming feature of the FreeBSD ports system which caught this trojan-horse.

:) ttt

4 posted on 08/02/2002 1:33:21 PM PDT by detsaoT
[ Post Reply | Private Reply | To 1 | View Replies]

To: ikka
According to this August 1 weblog, the problem was detected and reported within six hours when the automatic checksum comparison reported a problem with the archive. If the people installing the software are paying attention to the checksum error message, it's unlikely that this trojan has affected more than a few machines.

Also of note -

The C code is not that smart. It tries once per hour to connect to port 6667 on the machine 203.62.158.32 which is web.snsonline.net and waits for commands from the person or persons who 0wn3d the machine. Does it get an M, it sleeps for another hour. Does it get an A, it will abort. Does it get an M, it will spawn a shell. Some people will build it "normal" privileges and install it as root: they will get a shell with "normal" privileges. Other people will build it with "root" privileges and the shell will have "root" privileges.

5 posted on 08/02/2002 1:37:09 PM PDT by HAL9000
[ Post Reply | Private Reply | To 2 | View Replies]

To: Bush2000
At least with FreeBSD you'll have a chance with checksums to see that it was bogus. Unlike with Microsoft you could get some FunLove with their hotfixes and you wouldn't know it.
6 posted on 08/02/2002 1:42:00 PM PDT by lelio
[ Post Reply | Private Reply | To 1 | View Replies]

To: HAL9000
I swear some virus writers are just dumb. Should rather connect to a list of IRC servers and post info, that way the person that wrote it can't be so easily detected or stopped.
7 posted on 08/02/2002 1:43:13 PM PDT by lelio
[ Post Reply | Private Reply | To 5 | View Replies]

To: *tech_index; Ernest_at_the_Beach
Filing
8 posted on 08/02/2002 1:49:58 PM PDT by afraidfortherepublic
[ Post Reply | Private Reply | To 1 | View Replies]

To: lelio
I swear some virus writers are just dumb. Should rather connect to a list of IRC servers and post info, that way the person that wrote it can't be so easily detected or stopped.

The server in question wasn't traceable back to the originator of the trojan. Ironically, one of the first two people to discover the problem was the owner of the server. He shutdown the server and rebuilt it immediately.

9 posted on 08/02/2002 2:03:49 PM PDT by justlurking
[ Post Reply | Private Reply | To 7 | View Replies]

To: Bush2000
Repeat after me: "We need at least 30 days to investigate, formulate and propogate a fix.."
10 posted on 08/02/2002 2:16:34 PM PDT by TechJunkYard
[ Post Reply | Private Reply | To 1 | View Replies]

To: detsaoT
The real scary part is that whomever broke into the server to replace the package could have also replaced the sums.. then no one would have noticed. Who was the admin on that (Sun) box?
11 posted on 08/02/2002 2:22:54 PM PDT by TechJunkYard
[ Post Reply | Private Reply | To 4 | View Replies]

To: TechJunkYard
could have also replaced the sums

That's not that simple. You have to know a trusted person's private key to certify the new hash value. They're way ahead of the typical MS programmer hired to insert trojans into open source. Also, it's very rare anyone would install OpenSSH without verifying its integrity. Someone smart enough to install it would not skip that 10 second test.

12 posted on 08/02/2002 2:34:13 PM PDT by Reeses
[ Post Reply | Private Reply | To 11 | View Replies]

To: justlurking
Showing that you shouldn't depend on one r00ted box to receive your handiwork :) Just connect to an IRC server and post something, or maybe post to UseNet.
Did the person discover his box was hacked as suddenly he started seeing thousands of hits on that port?
13 posted on 08/02/2002 2:49:02 PM PDT by lelio
[ Post Reply | Private Reply | To 9 | View Replies]

To: Reeses
..the typical MS programmer hired to insert trojans into open source

Hoo-boy, are you trying to incite a riot or something? ;-)

This really does expose some problems with the way OSS is distributed and installed. Luckily OpenBSD actually performs a checksum when it installs something. Lots of Linux folks don't bother. Lots of folks build AND install AS ROOT so this scheme (compile and run an extra program at build-time) would open a root shell to the attacker.

In a way, the Windows crowd is lucky they only have to worry about buying buggy code, and the risks associated with that. WE don't know WHAT we need to worry about.

14 posted on 08/02/2002 2:50:14 PM PDT by TechJunkYard
[ Post Reply | Private Reply | To 12 | View Replies]

To: lelio
Did the person discover his box was hacked as suddenly he started seeing thousands of hits on that port?

Details here. It was an unbelievable stroke of luck that the guy was on the same IRC channel where the analysis was conducted and recognised the host name.

15 posted on 08/02/2002 2:59:26 PM PDT by TechJunkYard
[ Post Reply | Private Reply | To 13 | View Replies]

To: lelio
Did the person discover his box was hacked as suddenly he started seeing thousands of hits on that port?

No, it's really strange: the first guy to discover the checksum problem (or at least the first one to investigate) asked on an IRC channel if anyone else had the same problem.

The guy that responded eventually turned out to be the administrator/owner of that server. A weird coincidence.

It's not clear that the server was actually hacked, or if the owner/administrator saved anything to investigate the source of the compromise.

16 posted on 08/02/2002 3:19:08 PM PDT by justlurking
[ Post Reply | Private Reply | To 13 | View Replies]

To: TechJunkYard
Details here.

Should have checked the thread. I responded directly to the "My Comments" page.

This is the same info I read, too.

17 posted on 08/02/2002 3:21:03 PM PDT by justlurking
[ Post Reply | Private Reply | To 15 | View Replies]

To: Reeses
MD5 checksums are not the same as digital signatures. I can generate an MD5 checksum value for a file, send you a copy of the file, then you can generate an MD5 checksum for the file on your system and, provided the file hasn't been modified, you'll come up with the same value. No key required.

The fact that the perpetrator could have generated new checksums for the modified tarballs, but didn't, suggests that he was trying to make a point.

18 posted on 08/02/2002 6:34:16 PM PDT by dwollmann
[ Post Reply | Private Reply | To 12 | View Replies]

To: ikka
It was found and fixed within about 24-48 hours. Further, it was not a corruption or bug in the source code that was in the central repository of code. It was a hack on a SunSITE server in Alberta, Canada, which does not run OpenBSD but instead runs Solaris, a closed source OS.

I could care less about how quickly it was fixed. You guys are constantly harping on how much more secure open source is. And you hate it when you get your faces rubbed in your own garbage.
19 posted on 08/02/2002 7:29:01 PM PDT by Bush2000
[ Post Reply | Private Reply | To 2 | View Replies]

To: Bush2000
How does this incident prove that Open Source is not secure?
20 posted on 08/02/2002 7:35:27 PM PDT by dwollmann
[ Post Reply | Private Reply | To 19 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-36 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson