[Ayuda] OpenSSH Security Advisory: Trojaned Distribution Files]

To: unam-cert en seguridad unam mx
Subject: [Ayuda] OpenSSH Security Advisory: Trojaned Distribution Files]
From: UNAM-CERT <unam-cert en seguridad unam mx>
Date: Thu, 1 Aug 2002 12:23:31 -0500 (CDT)
In-reply-to: <Pine.GSO.4.10.10208011204290.22560-100000@martini.super.unam.mx>
List-archive: <https://pegaso.fisica.unam.mx/pipermail/ayuda/>
List-help: <mailto:ayuda-request@linux.org.mx?subject=help>
List-id: GNU/Linux help list <ayuda.linux.org.mx>
List-post: <mailto:ayuda@linux.org.mx>
List-subscribe: <https://pegaso.fisica.unam.mx/mailman/listinfo/ayuda>, <mailto:ayuda-request@linux.org.mx?subject=subscribe>
List-unsubscribe: <https://pegaso.fisica.unam.mx/mailman/listinfo/ayuda>, <mailto:ayuda-request@linux.org.mx?subject=unsubscribe>
Sender: ayuda-admin en linux org mx

-----BEGIN PGP SIGNED MESSAGE-----


> ---------- Forwarded message ----------
> 
> Date: Thu, 1 Aug 2002 11:19:49 -0400
> From: Niels Provos <provos en citi umich edu>
> To: security-announce en openbsd org, misc en openbsd org, announce en openbsd org
> Subject: OpenSSH Security Advisory:  Trojaned Distribution Files
> User-Agent: Mutt/1.3.27i
> X-Spam-Level:
> 
> OpenSSH Security Advisory (adv.trojan)
> 
> 1. Systems affected:
> 
> OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
> OpenBSD ftp server and potentially propagated via the normal mirroring
> process to other ftp servers.  The code was inserted some time between
> the 30th and 31th of July.  We replaced the trojaned files with their
> originals at 7AM MDT, August 1st.
> 
> 2. Impact:
> 
> Anyone who has installed OpenSSH from the OpenBSD ftp server or any
> mirror within that time frame should consider his system compromised.
> The trojan allows the attacker to gain control of the system as the
> user compiling the binary.  Arbitrary commands can be executed.
> 
> 3. Solution:
> 
> Verify that you did not build a trojaned version of the sources.  The
> portable SSH tar balls contain PGP signatures that should be verified
> before installation.  You can also use the following MD5 checksums for
> verification.
> 
> MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
> MD5 (openssh-3.4p1.tar.gz.sig) = d5a956263287e7fd261528bb1962f24c
> MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2
> MD5 (openssh-3.2.2p1.tar.gz) = 9d3e1e31e8d6cdbfa3036cb183aa4a01
> MD5 (openssh-3.2.2p1.tar.gz.sig) = be4f9ed8da1735efd770dc8fa2bb808a
> 
> 4. Details
> 
> When building the OpenSSH binaries, the trojan resides in bf-test.c
> and causes code to execute which connects to a specified IP address.
> The destination port is normally used by the IRC protocol.  A
> connection attempt is made once an hour.  If the connection is
> successful, arbitrary commands may be executed.
> 
> Three commands are understood by the backdoor:
> 
> Command A:  Kill the exploit.
> Command D:  Execute a command.
> Command M:  Go to sleep.
> 
> 5. Notice:
> 
> Because of the urgency of this issue, the advisory may not be
> complete.  Updates will be posted to the OpenSSH web pages if
> necessary.
> 
> 
> 
> ----- End forwarded message -----

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: cp850

iQEVAwUBPUlumXAvLUtwgRsVAQEfuQf/Ybio+4AnuNY6jJzaXTrdsEnmKd+DWMen
IXV4oDtWXF9+sX/TsnJ2s1TYDcbQGoIxBFCCYktBbg0MxQAZNW5QzHSUCI93bWrc
xau3ES0Hbpsz6PQX7o1VpqTIp1KsMSwOiisU+hNxQlY8Nz1E0t0VEWjLnodNVNJN
lJwV3EWdzwB7tPWPPyPr7eaBKhX5bQkXtqcUX4GunEFqe05FwZEjAVslzeeX79Vv
OJo1I16eGvT3NijADTgohUkHmhJxIYnlSEfd4/fqqJ8OV3qzm0WG0M9O3p8Jbb5E
apF8QTn9+ROCVmTiRNcAFYumjhpI1KgR6oaTtik6xoBz30ZibDGoSw==
=q3Wh
-----END PGP SIGNATURE-----


_______________________________________________
Ayuda mailing list
Ayuda en linux org mx
Para salir de la lista: http://mail.linux.org.mx/mailman/listinfo/ayuda/

Previo por Fecha: [Ayuda] Apache + Mod_ssl + mod_perl sobre aix
Siguiente por Fecha: [Ayuda] samba!!
Previo por Hilo: [Ayuda] Re: [Gasu] Apache + Mod_ssl + mod_perl sobre aix
Siguiente por Hilo: [Ayuda] samba!!

[Hilos de Discusión] [Fecha] [Tema] [Autor]