Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Package Trojaned

Posted by michael on from the md5-saves-lives dept.

cperciva writes "The original story is here. And more details are available from the guy's weblog here." Here's a mirror of that email message. Another reader writes, "Not really a trojan because all it does is make a connection to 203.62.158.32:6667." Still another writes "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine." There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available. Update: 08/01 19:13 GMT by M : OpenSSH now has an advisory.

15 of 566 comments (clear)

  1. OpenBSD is holy! by Anonymous Coward · · Score: 0, Funny

    It's official: OpenBSD is holy. The Pope just announced the security hole itself.

    Another blow to the *BSD movement, losing the support of Atheists all over the globe...

    Or something.

  2. hmmm.... by reaper20 · · Score: 4, Funny

    So the sources are bad but the binaries are good? Is today bizarro-world day or something?

    1. Re:hmmm.... by Chester+K · · Score: 4, Funny

      So the sources are bad but the binaries are good? Is today bizarro-world day or something?

      This is yet another example of why everyone should use proprietary closed source software! I bet nobody's ever been compromised through a trojan horse in the build process of Microsoft Word!

      --

      NO CARRIER
    2. Re:hmmm.... by ThereIsNoSporkNeo · · Score: 2, Funny

      Actually, at this point, most of us Slashdot posters have been replaced with chatbots and mine-detection robots. As we lack the programming language to simulate your ideal "Humor", we have simply posed as programmers and accountants.

      To be honest, you're the only real human left. Sorry we missed you. You'll be getting a knock on your door shortly.

      Don't worry... this is just the world pulled over you eyes.

      --
      With my dying breath, I curse Zoidberg!
  3. This is another victory for Open Source!!! by Anonymous Coward · · Score: 1, Funny

    Isn't it?

  4. What's the big worry by back@slash · · Score: 5, Funny

    C:\>bf-output.sh
    'bf-output.sh' is not recognized as an internal or external command,
    operable program or batch file

    This trojan doesn't look very 31337 to me.

    --
    This comment was generated by a Squadron of Ultra Ninjas
    1. Re:What's the big worry by kludge99 · · Score: 2, Funny

      either does that C:\> prompt

  5. Well, I guess that's what they get... by MrBadbar · · Score: 3, Funny

    ...for hosting ftp.openbsd.org on a box running SunOS, not OpenBSD!

  6. New catch phrase by martinde · · Score: 4, Funny

    It was "no remote holes in 5 years". Now it's "one remote hole in the default install, in nearly 6 years!"

    Next it will be "one remote hole and one 'harmless trojan' in the default install, in really very close to 6 years!"

  7. slashdot is missing a great opportunity to help by back@slash · · Score: 0, Funny

    The right thing to do here would be to put a link in the article to port 80 of the receiver server of the trojan.

    Let's see it try to work while the server is being /.'d into oblivion.

    --
    This comment was generated by a Squadron of Ultra Ninjas
  8. Re:Just a Thought to prevent this.. by yatest5 · · Score: 5, Funny

    If there would be some configure/make environment that prevents or asks before outgoing connections and checks for possibly dangerous commands, that are unusual to call upon a ./configure run, wouldn't that prevent things like this to happen again?

    Yes, I recommend having the installation banned from creating / deleting / running any files.

    --
    • Mod parent up! [a] by Anonymous Coward (Score:5) Thurs, June 31, @13:37
  9. Re:j00 R 0wn3d lol by Anonymous Coward · · Score: 2, Funny

    Ever heard of the "security patch" for XP and Media Player? Right in the EULA you give Micro$loth admin rights to your machine - hell, they put it in clear english! I'm sorry, but a media player should not be able to root the box, period. And the "fix" itself could be considered a trojan - one with a legal EULA to boot!

    So you must not run XP, right? I know a guy who firewalls his XP box, not so much to keep others out, but to keep data in! He uses egress filters to stop unauthorized outgoing traffic. And, yes, XP tries to report back to Redmond.

    This rogue code was caught within 6 hours. It would take at least 6 days for M$ to even admit that the trojan existed (that is, if they would admit to it at all). Micro$loths security record is hardly something to brag about. On the other hand, OpenBSD's record up til recently has been very impressive, to say the least.

  10. Re:How many people do check the MD5 checksum? by ckd · · Score: 3, Funny
    With the ports system, they would have to change the checksum on FreeBSD's systems as well as the source on OpenBSD's site. Keeping them separate helps a lot.

    So there are positive features to the *BSD splits after all! :-)

  11. Re:203.62.158.32 by cheezfreek · · Score: 1, Funny
    I'd say the odds of this have to be about 2036215832:1.

    I'm sorry. I shouldn't have inflicted my strange sense of humour on the world.

  12. Re:I know who DID IT! by Anonymous Coward · · Score: 2, Funny

    Archer Daniels Midland?

    I thought that they just trojaned congress...