Posted on 08/02/2002 12:59:37 PM PDT by Bush2000
Trojan horse found in OpenSSH
Several versions of OpenSSH contain a Trojan horse that can allow an attacker to take over a system running the free network connectivity software, the makers of OpenSSH warned in an advisory yesterday. OpenSSH is distributed for free by the OpenBSD project. The SSH protocol is widely used for secure remote terminal connections and file transfers between a client and a server running Unix and its derivatives.
The Trojan horse was discovered in OpenSSH versions 3.2.2p1, 3.4p1 and 3.4. The compromised software was first made available on an official download server on July 30 or 31 and from there likely copied to other download sites, according to the OpenSSH security advisory.
Trojan horse programs install backdoor programs that let attackers gain access to a computer. In this case, the malicious code is run when the OpenSSH software is compiled by the user, according to the advisory. It allows arbitrary commands to be executed with the privileges of the compiling user.
Anyone who installed OpenSSH or offered it for download since July 30 should verify the authenticity of the software. The compromised OpenSSH versions can be identified by their incorrect MD5 checksums and PGP signatures, according to the advisory.
More information on the Trojan horse and how to detect it can be found in an advisory sent out by the Computer Emergence Response Team.
Makes ya wonder.
More info here
Interesting side note - It was a checksumming feature of the FreeBSD ports system which caught this trojan-horse.
:) ttt
Also of note -
The C code is not that smart. It tries once per hour to connect to port 6667 on the machine 203.62.158.32 which is web.snsonline.net and waits for commands from the person or persons who 0wn3d the machine. Does it get an M, it sleeps for another hour. Does it get an A, it will abort. Does it get an M, it will spawn a shell. Some people will build it "normal" privileges and install it as root: they will get a shell with "normal" privileges. Other people will build it with "root" privileges and the shell will have "root" privileges.
The server in question wasn't traceable back to the originator of the trojan. Ironically, one of the first two people to discover the problem was the owner of the server. He shutdown the server and rebuilt it immediately.
That's not that simple. You have to know a trusted person's private key to certify the new hash value. They're way ahead of the typical MS programmer hired to insert trojans into open source. Also, it's very rare anyone would install OpenSSH without verifying its integrity. Someone smart enough to install it would not skip that 10 second test.
Hoo-boy, are you trying to incite a riot or something? ;-)
This really does expose some problems with the way OSS is distributed and installed. Luckily OpenBSD actually performs a checksum when it installs something. Lots of Linux folks don't bother. Lots of folks build AND install AS ROOT so this scheme (compile and run an extra program at build-time) would open a root shell to the attacker.
In a way, the Windows crowd is lucky they only have to worry about buying buggy code, and the risks associated with that. WE don't know WHAT we need to worry about.
Details here. It was an unbelievable stroke of luck that the guy was on the same IRC channel where the analysis was conducted and recognised the host name.
No, it's really strange: the first guy to discover the checksum problem (or at least the first one to investigate) asked on an IRC channel if anyone else had the same problem.
The guy that responded eventually turned out to be the administrator/owner of that server. A weird coincidence.
It's not clear that the server was actually hacked, or if the owner/administrator saved anything to investigate the source of the compromise.
Should have checked the thread. I responded directly to the "My Comments" page.
This is the same info I read, too.
The fact that the perpetrator could have generated new checksums for the modified tarballs, but didn't, suggests that he was trying to make a point.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.