OpenSSH Package Trojaned

cperciva writes "The original story is here. And more details are available from the guy's weblog here." Here's a mirror of that email message. Another reader writes, "Not really a trojan because all it does is make a connection to 203.62.158.32:6667." Still another writes "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine." There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available. Update: 08/01 19:13 GMT by M : OpenSSH now has an advisory.

hmmm....

[reaper20]

So the sources are bad but the binaries are good? Is today bizarro-world day or something?

Re:hmmm....

[Chester+K]

So the sources are bad but the binaries are good? Is today bizarro-world day or something?

This is yet another example of why everyone should use proprietary closed source software! I bet nobody's ever been compromised through a trojan horse in the build process of Microsoft Word!

Re:hmmm....

[ThereIsNoSporkNeo]

Actually, at this point, most of us Slashdot posters have been replaced with chatbots and mine-detection robots. As we lack the programming language to simulate your ideal "Humor", we have simply posed as programmers and accountants.

To be honest, you're the only real human left. Sorry we missed you. You'll be getting a knock on your door shortly.

Don't worry... this is just the world pulled over you eyes.

What's the big worry

[back@slash]

C:\>bf-output.sh
'bf-output.sh' is not recognized as an internal or external command,
operable program or batch file

This trojan doesn't look very 31337 to me.

Re:What's the big worry

[kludge99]

either does that C:\> prompt

Well, I guess that's what they get...

[MrBadbar]

...for hosting ftp.openbsd.org on a box running SunOS, not OpenBSD!

New catch phrase

[martinde]

It was "no remote holes in 5 years". Now it's "one remote hole in the default install, in nearly 6 years!"

Next it will be "one remote hole and one 'harmless trojan' in the default install, in really very close to 6 years!"

Re:Just a Thought to prevent this..

[yatest5]

If there would be some configure/make environment that prevents or asks before outgoing connections and checks for possibly dangerous commands, that are unusual to call upon a ./configure run, wouldn't that prevent things like this to happen again?


Yes, I recommend having the installation banned from creating / deleting / running any files.

Re:j00 R 0wn3d lol

Ever heard of the "security patch" for XP and Media Player? Right in the EULA you give Micro$loth admin rights to your machine - hell, they put it in clear english! I'm sorry, but a media player should not be able to root the box, period. And the "fix" itself could be considered a trojan - one with a legal EULA to boot!

So you must not run XP, right? I know a guy who firewalls his XP box, not so much to keep others out, but to keep data in! He uses egress filters to stop unauthorized outgoing traffic. And, yes, XP tries to report back to Redmond.

This rogue code was caught within 6 hours. It would take at least 6 days for M$ to even admit that the trojan existed (that is, if they would admit to it at all). Micro$loths security record is hardly something to brag about. On the other hand, OpenBSD's record up til recently has been very impressive, to say the least.

Re:How many people do check the MD5 checksum?

[ckd]

With the ports system, they would have to change the checksum on FreeBSD's systems as well as the source on OpenBSD's site. Keeping them separate helps a lot.

So there are positive features to the *BSD splits after all! :-)

Re:I know who DID IT!

Archer Daniels Midland?

I thought that they just trojaned congress...