Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojan Found in libpcap and tcpdump

Posted by michael on from the when-your-packet-sniffer-won't dept.

msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."

19 of 486 comments (clear)

  1. Hrmm by Anonymous Coward · · Score: 2, Funny

    Who would have thought that TCPDUMP would have crap like that in it?

  2. Ewww by segfault7375 · · Score: 2, Funny


    Trojan Found in libpcap and tcpdump

    I swear, some of these source trees are worse than the canals of Venice. :)

  3. Hey, Slashdot, by gazbo · · Score: 3, Funny

    I was just wondering how long these sources have been available with these many eyes making bugs shallow and so forth? I'm assuming it's less than 1 hour, because as I keep being told, everyone in the open source community checks all source code thoroughly before installing it, which is something that can't be done with closed source.

  4. Re:mars.raketti.net by Anonymous Coward · · Score: 1, Funny

    Easy. Same way it happens to OpenSSH, and the OpenBSD kernel (you know that current revisions of OpenBSD are trojaned all to hell, dont you?)... First you come up with the "killer exploit" this is known in our little community as "0day"... THEN, you exploit the tome of information,, be it openbsd.org, kernel.org, tcpdump.org etc.. and insert your code. You can prepare days in advance with your new version, so really, breaking the box is the only real hard part..

    1. wget http://www.foo.com/useful-app.tar.gz

    2. tar -xzf useful-app.tar.gz

    3. vi something.c

    4. tar -cf useful-app.tar.gz useful-app/

    5. md5sum useful-app.tar.gz > useful-app.md5

    6. ./hax0r-the-hell-out-of www.foo.com

    7. scp ~/useful-app.tar.gz
    www.foo.com/useful-app.tar.gz

    8. scp ~/useful-app.md5 www.foo.com/useful-app.md5

    9. vi /var/log/syslog

    10. ????

    11. pr0fit.

    or if you are openbsd, you bribe a developer for their commit access.. or you break the developers
    box..

    isn't hacking for world domination fun?

  5. Er, I thought trojans were for preventing... by quintessent · · Score: 2, Funny

    ...wait...never mind.

    --
    Donate background CPU time to fight cancer.
  6. Re:This is dreadful by phaze3000 · · Score: 4, Funny

    It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this.

    I couldn't agree more, if those cheap-arsed hippies who write Linux would only pay up when there's a problem with their software like reputable commercial companies like Micros.. err, Oracl.. err actually, forget it.

    --
    Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
  7. Isn't this the whole point of Open Source? by elliotj · · Score: 5, Funny

    I thought the whole idea of the GPL was that you could take a program and modify it to your own needs so long as you release the source back to the community under the same license.

    Sounds like that's what happened here!

  8. Impressive! (Was: as soon as this evening...) by teqo · · Score: 3, Funny
    apt-get update...
    well, I have not installed these sniffing proggies, so it should be okay.

    Darn... apt-get even makes your box more secure than before even if you haven't actually installed the bad packages? This must be the Holy Grail! And it should be okay? Not only that you have not installed tcpdump and libpcap, what definitely makes it okay, you don't even trust apt-get to really solve your (non-existing) problem... Now I wanna join the apt-get cult... Where can I register?

    I bet you recommend penicillin over other medicine even when you got no infection! Or do you use apt-get then as well? Doesn't make any difference anyway...

    (For the record: I use Debian GNU/Linux among other stuff...)

  9. Re:This is dreadful by djtack · · Score: 5, Funny

    And looking through his user profile, he's also a rocket scientist. Wow.

  10. Re:as soon as this evening... by OrangeSpyderMan · · Score: 3, Funny

    If you read the article more carefully, you will notice that the binaries aren't trojaned.

    Phew, glad to hear that, I was worried the trojaned sources actually built trojaned binaries - glad you got that cleared up for us.

    --
    Try NetBSD... safe,straightforward,useful.
  11. More by Anonymous Coward · · Score: 2, Funny

    ...as a rocket scientist I feel most compelled to answer
    http://slashdot.org/comments.pl?sid=44937& cid=4658776

    ...I run a successful London-based dot com
    http://slashdot.org/comments.pl?sid=44933&cid =4658433

    ... As a lawyer myself, I can state that
    http://slashdot.org/comments.pl?sid=44912&ci d=4658097

    ... I'm an avid open-source supporter
    http://slashdot.org/comments.pl?sid=211 28&cid=2238414

    ...I am an avid supported of the open-source movement [sounds familiar? that's because it is -ed]
    http://slashdot.org/comments.pl?sid=20824&ci d=2207372

    ...I'm an avid supported of the open source movement [we know -ed]
    http://slashdot.org/comments.pl?sid=20761&ci d=2204471

    ... I am a passionate supported of the open-source movement [geez -ed]
    http://slashdot.org/comments.pl?sid=20760&ci d=2204422

  12. Re:This is dreadful by forged · · Score: 2, Funny
    The guy is good, isn't he 8-}

    This reminds me of this one time when I chatted this girl on IRC. Oh wait.....

  13. Microsoft's new tactic! by SirAnodos · · Score: 1, Funny

    I'm telling you, this is Microsoft's new tactic for attacking open source. Make people afraid of it, and they will run in terror.

  14. Re:Eventually, this would happen by bellings · · Score: 3, Funny

    Now - who has most to gain from a highly visible trojan that's in fact virtually useless - Microsoft.

    No! It's John Ashcroft! This is just the first step towards the Brave New World Order, as correctly fortold on that ground-breaking show "The X-Files."

    Before Chris Carter and David Duchovney were eliminated and replaced with robotic clones by the old CIA lackeys of George Bush Senior, that show was the only thing on television that really explained what was going on in the world. There was a brief attempt by the FOX network to continue feeding you important news about technology and politics, but the Lone Gunmen show was quickly eliminated by the evil forces...

    --
    Slashdot is jumping the shark. I'm just driving the boat.
  15. Re:prison by Anonymous Coward · · Score: 1, Funny

    Goddamn, just becuase they might be loaded with more trojans than you'll ever need, spying on all of your important works, please, please use a closed-source spell-checker, this OS one appears to be faulty.

    Reading that text was just plain painful.

  16. Re:Glad I use Gentoo by luismunoz · · Score: 2, Funny

    [Insert the obligatory joke about /. slashdotting this server too] :)

  17. Re:as soon as this evening... by Anonymous Coward · · Score: 1, Funny

    5. Get the source, audit it line by line, and then build it when you know it's safe.

    6. Don't bother downloading packages, write your own ;-) /me don't trust any code I don't write...guess I should get started on the kernel!

  18. Re:This is dreadful by Anonymous Coward · · Score: 1, Funny

    Yeah, that girl on IRC was probably Jazzman.

  19. Re:as soon as this evening... by dbarclay10 · · Score: 3, Funny
    People using source for security who are in category 1 or 2 are just fooling themselves.
    You know that. I know that. Try telling THEM :) (Where "THEM" includes my boss, who makes me compile everything from source [and for Christ's sake, I maintain packages in the Debian archive!], but won't pay me or anybody else to actually *audit* the source, god-damnit.)
    --

    Barclay family motto:
    Aut agere aut mori.
    (Either action or death.)