Trojan horse found in OpenSSH

ComputerWorld ^ | AUGUST 02, 2002 | Joris Evers

[Bush2000]

Repeat after me: "Open source means more eyeballs and no opportunity for viruses and trojan horses..."

[ikka]

It was found and fixed within about 24-48 hours. Further, it was not a corruption or bug in the source code that was in the central repository of code. It was a hack on a SunSITE server in Alberta, Canada, which does not run OpenBSD but instead runs Solaris, a closed source OS.

[beckett]

Jeez....this is perfect ploy for proprietary protocols to pull.

Makes ya wonder.

More info here

[detsaoT]

(Hey, don't blame us for Theo "The Raat" DeRaadt's problems. The guy's practically begging for stuff like this to happen to him. Search Google for "bugtraq GOBBLES" for more information...)

Interesting side note - It was a checksumming feature of the FreeBSD ports system which caught this trojan-horse.

:) ttt

[HAL9000]

According to this August 1 weblog, the problem was detected and reported within six hours when the automatic checksum comparison reported a problem with the archive. If the people installing the software are paying attention to the checksum error message, it's unlikely that this trojan has affected more than a few machines.

Also of note -

The C code is not that smart. It tries once per hour to connect to port 6667 on the machine 203.62.158.32 which is web.snsonline.net and waits for commands from the person or persons who 0wn3d the machine. Does it get an M, it sleeps for another hour. Does it get an A, it will abort. Does it get an M, it will spawn a shell. Some people will build it "normal" privileges and install it as root: they will get a shell with "normal" privileges. Other people will build it with "root" privileges and the shell will have "root" privileges.

[lelio]

At least with FreeBSD you'll have a chance with checksums to see that it was bogus. Unlike with Microsoft you could get some FunLove with their hotfixes and you wouldn't know it.

[lelio]

I swear some virus writers are just dumb. Should rather connect to a list of IRC servers and post info, that way the person that wrote it can't be so easily detected or stopped.

[afraidfortherepublic]

Filing

[justlurking]

I swear some virus writers are just dumb. Should rather connect to a list of IRC servers and post info, that way the person that wrote it can't be so easily detected or stopped.

The server in question wasn't traceable back to the originator of the trojan. Ironically, one of the first two people to discover the problem was the owner of the server. He shutdown the server and rebuilt it immediately.

[TechJunkYard]

Repeat after me: "We need at least 30 days to investigate, formulate and propogate a fix.."

[TechJunkYard]

The real scary part is that whomever broke into the server to replace the package could have also replaced the sums.. then no one would have noticed. Who was the admin on that (Sun) box?

[Reeses]

could have also replaced the sums

That's not that simple. You have to know a trusted person's private key to certify the new hash value. They're way ahead of the typical MS programmer hired to insert trojans into open source. Also, it's very rare anyone would install OpenSSH without verifying its integrity. Someone smart enough to install it would not skip that 10 second test.

[lelio]

Showing that you shouldn't depend on one r00ted box to receive your handiwork :) Just connect to an IRC server and post something, or maybe post to UseNet.
Did the person discover his box was hacked as suddenly he started seeing thousands of hits on that port?

[TechJunkYard]

..the typical MS programmer hired to insert trojans into open source

Hoo-boy, are you trying to incite a riot or something? ;-)

This really does expose some problems with the way OSS is distributed and installed. Luckily OpenBSD actually performs a checksum when it installs something. Lots of Linux folks don't bother. Lots of folks build AND install AS ROOT so this scheme (compile and run an extra program at build-time) would open a root shell to the attacker.

In a way, the Windows crowd is lucky they only have to worry about buying buggy code, and the risks associated with that. WE don't know WHAT we need to worry about.

[TechJunkYard]

Did the person discover his box was hacked as suddenly he started seeing thousands of hits on that port?

Details here. It was an unbelievable stroke of luck that the guy was on the same IRC channel where the analysis was conducted and recognised the host name.

[justlurking]

Did the person discover his box was hacked as suddenly he started seeing thousands of hits on that port?

No, it's really strange: the first guy to discover the checksum problem (or at least the first one to investigate) asked on an IRC channel if anyone else had the same problem.

The guy that responded eventually turned out to be the administrator/owner of that server. A weird coincidence.

It's not clear that the server was actually hacked, or if the owner/administrator saved anything to investigate the source of the compromise.

[justlurking]

Details here.

Should have checked the thread. I responded directly to the "My Comments" page.

This is the same info I read, too.

[dwollmann]

MD5 checksums are not the same as digital signatures. I can generate an MD5 checksum value for a file, send you a copy of the file, then you can generate an MD5 checksum for the file on your system and, provided the file hasn't been modified, you'll come up with the same value. No key required.

The fact that the perpetrator could have generated new checksums for the modified tarballs, but didn't, suggests that he was trying to make a point.

[Bush2000]

It was found and fixed within about 24-48 hours. Further, it was not a corruption or bug in the source code that was in the central repository of code. It was a hack on a SunSITE server in Alberta, Canada, which does not run OpenBSD but instead runs Solaris, a closed source OS.

I could care less about how quickly it was fixed. You guys are constantly harping on how much more secure open source is. And you hate it when you get your faces rubbed in your own garbage.

[dwollmann]

How does this incident prove that Open Source is not secure?