Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenSSH Package Trojaned

Posted by michael on from the md5-saves-lives dept.

cperciva writes "The original story is here. And more details are available from the guy's weblog here." Here's a mirror of that email message. Another reader writes, "Not really a trojan because all it does is make a connection to 203.62.158.32:6667." Still another writes "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine." There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available. Update: 08/01 19:13 GMT by M : OpenSSH now has an advisory.

7 of 566 comments (clear)

  1. hmmm.... by reaper20 · · Score: 4, Funny

    So the sources are bad but the binaries are good? Is today bizarro-world day or something?

    1. Re:hmmm.... by Chester+K · · Score: 4, Funny

      So the sources are bad but the binaries are good? Is today bizarro-world day or something?

      This is yet another example of why everyone should use proprietary closed source software! I bet nobody's ever been compromised through a trojan horse in the build process of Microsoft Word!

      --

      NO CARRIER
  2. What's the big worry by back@slash · · Score: 5, Funny

    C:\>bf-output.sh
    'bf-output.sh' is not recognized as an internal or external command,
    operable program or batch file

    This trojan doesn't look very 31337 to me.

    --
    This comment was generated by a Squadron of Ultra Ninjas
  3. Well, I guess that's what they get... by MrBadbar · · Score: 3, Funny

    ...for hosting ftp.openbsd.org on a box running SunOS, not OpenBSD!

  4. New catch phrase by martinde · · Score: 4, Funny

    It was "no remote holes in 5 years". Now it's "one remote hole in the default install, in nearly 6 years!"

    Next it will be "one remote hole and one 'harmless trojan' in the default install, in really very close to 6 years!"

  5. Re:Just a Thought to prevent this.. by yatest5 · · Score: 5, Funny

    If there would be some configure/make environment that prevents or asks before outgoing connections and checks for possibly dangerous commands, that are unusual to call upon a ./configure run, wouldn't that prevent things like this to happen again?

    Yes, I recommend having the installation banned from creating / deleting / running any files.

    --
    • Mod parent up! [a] by Anonymous Coward (Score:5) Thurs, June 31, @13:37
  6. Re:How many people do check the MD5 checksum? by ckd · · Score: 3, Funny
    With the ports system, they would have to change the checksum on FreeBSD's systems as well as the source on OpenBSD's site. Keeping them separate helps a lot.

    So there are positive features to the *BSD splits after all! :-)