OpenSSH Package Trojaned

cperciva writes "The original story is here. And more details are available from the guy's weblog here." Here's a mirror of that email message. Another reader writes, "Not really a trojan because all it does is make a connection to 203.62.158.32:6667." Still another writes "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine." There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available. Update: 08/01 19:13 GMT by M : OpenSSH now has an advisory.

How many people do check the MD5 checksum?

[frleong]

Do you check the packages downloaded from sites that you usually do not have problems with? Like from redhat.com, debian.org and in this case openbsd.org?

Also, how many people do read the makefiles before running them on your machine? And when installing binaries require root access?

If this story is really true, how much safer is open-source programs, when compared with closed source programs? Notice that even with closed source programs, *some* people will eventually discover that they are trojan or not.

Re:How many people do check the MD5 checksum?

[Mr_Silver]

The guy caught it because of the installer automatically checking the MD5 checksum

I'm a little confused. How can you trust a package to check it's own MD5 checksum? If I'd slipped a malicious program into another app, the next thing I would do is hack the checking code to falsly tell the user than the checksum is fine.

Re:203.62.158.32

[CrazyDuke]

Packet kiddies like to have their zombies join an irc channel so they can tell the bots to ddos by just typeing something like "!flood 127.0.0.1."

I dunno if thats what this one does though.

How to fix this from the site it's calling

[bee]

Since the trojan dies if it sees an A first thing, obviously the guy running the box it's trying to contact should run something like this:

yes "A" | nc -p 6667

Then every daemon that connects gets an A right away, and thus dies. End of problem.

Re:Open Source PKI Needed?

[fizbin]

Except that then you would be bitten by stuff like this that trojans the makefiles.

As far as trojaning individual .deb packages, apt-get will indeed abort if the download md5sum doesn't match the md5 recorded in the Packages file. However, there is damn near nothing to verify that the Packages file is what it ought to be. (And since .debs and Package files are pulled from the same place...)

Every time this comes up on debian-devel the end result is a classic example of "the best is the enemy of the good". The suggestions for minimal signing of anything (say, having the process that creates the Packages file sign it) are always rejected because they wouldn't address the whole problem. (What if master.debian.org were hacked?) Unfortunately, no one can ever come up with an acceptable consensus definition on what the whole problem actually is, so nothing ever comes close to being implemented.

Trolling for karma, eh?

[Inoshiro]

Alan Cox was calling Theo to task because he didn't like how Theo concealed the exact security problem until a workaround was given out. This is an attitude some developers have. It's not the best attitue from a customer/end-user standpoint, but some people who write code and give it for free use still don't understand it. Alanx Cox sounds like, despite him being a valuable asset to the community, he does not understand this.

If he'd have said, "for all we know, OpenBSD could attract near-earth bodies" would you post this comment as "eerily prescient" on the recent asteroid stories? Sometimes things just aren't related. Despite what Mulder may think.

Re:Gentoo is Good to Go

[glwtta]

Maybe now they will.

why now? this whole episode seems to be a good example of the current system working well... tarball trojaned, ports system detects md5 mismatch, no compromise, no problem.