Slashdot Mirror
Trojan Found in libpcap and tcpdump
msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."
Emerge doesn't get tcpdump source from tcpdump.org, but from ibiblio.org.
How did it get into tcpdump.org's sources exactly? The HLUG page isn't clear.
Seems now more than ever the need to check the authenticity of your sources before installing.
As if security auditing wasnt a big enough headache already
-- If at first you don't succeed, lie!
mirror 1 in italy mirror 2 in poland
blah blah blah... just don't feel like fscker dying all by itself. yadda yadda yadda, beowulf cluster hootie hoo, slashdot should cache unfta unf, I need head
Its Denis Ritchie
And he only might have done it (can you tell?)
See http://www.acm.org/classics/sep95/ for more details
Excuse me if I sound disrespectful, but that makes me really doubt your skills. MD4? First, usually what's used is MD5, second it's just a hash and doesn't ensure the file hasn't been tampered with. All you need is to run md5sum on the patched file.
Now, good GPG signatures would have helped.
closed src doesn't have its src on some webserver for some kiddie to trojan in the first place. sure the possibility of some employee or the employer itself to trojan the src, but most open source trojans are someone breaking into the web server and uploading modified src. by definition this wont happen with closed src since closed src doesn't release src, so your argument is irrelevant.
Easily detected? I wonder about this. If you look at the date stamp on the trojaned configure script, it is December 10th, 2001.
Does that mean that this trojan has been around for almost a year before anybody noticed? If that's true, it does not meet my definition of "easily detected".
Life is like a web application. Sometime you need cookies just to get by.
Yeah! Let's nail his ass! ..
Oh wait, perhaps he's just the tech guy working for the company which registered the domain "raketti.net", Kuopion Puhelin. It's a telecom and net operator after all.
Yes and no. The information you have successfully received from the Whois database is pointing to the phone company in Finland, which happens to be a host for raketti.net domain. Petri Siltakoski is just an administrative contact of the ISP (Raketti.Net). He has nothing to do with the web page set up by an individual who seems to have an account in this ISP.
This was just sent ~1 min ago:
To : msolnik@hlug.org
Cc : wt-changes@wiretapped.net,
tcpdump-workers@tcpdump.org,
mcr@sandelman.ottawa.on.ca
Subject : tcpdump.org mirrors
----- Message Text -----
Hi guys,
I run the main mirror of tcpdump at wiretapped.net (no relation to wiretapped.us) in Australia. We rsync from cvs.tcpdump.org, and have removed the entire tcpdump.org tree and disabled rsync updates until we hear from Michael Richardson at tcpdump.org.
You may like to add this info to your Updates area, as the unavailability of the main mirror site may seem suspicious. It is not, as described above.
Because wiretapped.net itself is mirrored to a few other sites, it may take between 1 hour and 24 hours for this removal (and any subsequent re-addition) to take effect. We'll note when it goes back online at http://www.wiretapped.net/changelog.html
Hope this assists in preventing any further spread,
Grant
www.wiretapped.net
I'm going to try to walk you through this with baby steps.
let me make sure to put pillows over the sharp corners of the table.
this was found, just last night, because of the change in the md5 checksum.
this md5 checksum changed because the file changed.
this file changed because someone changed it
so in conclusion, this file has not been like this for a year
hope you were able to keep up
It has probably been not that long since it was trojaned. Gentoo's portage system gets tcpdump from tcpdump.org and md5's the sources before building. More than likely, it has only been trojaned just recently.
Since there are no md5 sums or gpg signatures listed on tcpdump.org it makes it very easy for someone to simply replace the source. Only those that check md5 sums and gpg signatures will know if it is truly trojaned or not.
I hope that the tcpdump people will start provided md5 sums and gpg signatures for those that build from source.
If you read the article more carefully, you will notice that the binaries aren't trojaned. This is a trojan in the build scripts only. So ironically, only the paranoids who build from source (but aren't paranoid enough to demand an MD5) got hit by this.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
the article is called 'reflections on trusting trust' and Ken Thompson wrote it upon inception of the ACM distinguished scientist award. now, we all know you are full of shit (since you can't even spell his name right) but claiming that 'each version of login was compromised' is so far off base that it't not even funny.
follow the link posted already, read it and try to understand what he fundamentally tries to tell you. then go and read aleph1's 'smashing the stack for fun and profit' and try to get a glimpse of what 'hacking' was considered in the 80s.
It's Ken Thompson. How do I know? His name is right beneath the title of the article you linked.
sources that debian built these packages from have good checksums
: ~$ md5sum tcpdump_3.7.1.orig.tar.gz : ~$ md5sum libpcap_0.7.1.orig.tar.gz
rgoldber@supercomputer:~$ md5sum tcpdump_3.6.2.orig.tar.gz
6bc8da35f9eed4e675bfdf04ce312248 tcpdump_3.6.2.orig.tar.gz
rgoldber@supercomputer
03e5eac68c65b7e6ce8da03b0b0b225e tcpdump_3.7.1.orig.tar.gz
rgoldber@supercomputer
0597c23e3496a5c108097b2a0f1bd0c7 libpcap_0.7.1.orig.tar.gz
Do this: Download gpg from gnupg.org. Build it. Generate yourself a key. Try to get some of your friends to sign it. submit it to keyserver.net. Sign your code with that key. While you're at it, start using kmail, evolution, or mozilla with enigmail and start signing your emails too. Do it religiously.
Check sigs when you download code too.
I downloaded libpcap/0.7.1 from tcpdump.org on September 2 of this year (just 2 months ago), and it was not trojaned (I keep a record of md5 sums, and was able to check this just now).
Probably whoever modified the file just touched it to resotre the original timestamp. This is trivial to do.
http://www.openssl.org/news/secadv_20020730.txt says that is vulnerable.
In the meanwhile, I suggest that you run all your untrusted software in a sandbox like Systrace which is available for the BSDs and Linux.
This screenshot shows Dug Song detecting the trojan in the Fragroute distribution. Systrace allows you to run completely untrusted applications in a sandbox. The security policy is created on the fly with the user deciding what an application is allowed to do.
We need to be much more careful about the software that we run.
Or maybe there is a *VERY NASTY* exploit circulating privately? This is why the people who set up honeynets and dissect the scans are our heroes. They would hopefully detect unknown exploits in software, just by looking at the fingerprint of the attack and figuring out if it is already known.
That being said, that alone is not enough. Everyone should run their updates nightly, and make sure their security don't collapse completely once one box has been taken.
However, I would like to take the opportunity to applaud the honeynet people who actively act like sitting ducks in order to protect the rest of us.
Stop the brainwash
login as root (or whoever can run tcpdump)
/. your local rooted base. /usr/bin/tcpd echo 'A' (i think that was the quit code)
/. editor)
tcpdump -n host 212.146.0.34 &
telnet 212.146.0.34 1963
if tcpdump sees the connection since it isn't ignoring port 1963, if you don't see the connection, then your tcpdump is ignoring port 1963
and well, its always nice to
the people at 212.146.0.34 should change it to something like
if this test is wrong, well, so be it, i'm still new at this linux thing, but i'm better at linux then i am at spelling (boy, i should be an
--Anonymous Coward
I moved the binaries on the tcpdump.org web site, so that the "download" links won't work.
"ls -c" says that the modified binaries were installed at Nov 11 10:14:00 2002 GMT.
Preliminary inspection says that the CVS repository is O.K.
To be useful the MD5 file should be signed, and the GPG key that signed it should be one that you know and trust. Even that may not be enough if the key owner can be tricked into revealing his private key, or the trojan horse can be introduced into the code on the code owners development machine, but it does add one layer of depth to your security.
The first time I had a server hacked (mountd exploit, xmas '99) the machine details were sold on IRC, probably in exchange for credit card numbers, to a somewhat clueless Singapore exchange student who proceeded to delete all of my syslog files so that when I logged in remotely the root mailbox was full of complaints about missing logfiles. The rooted system was up for about a week, during which time it probed several thousand IPs for basic exploits, hosted an IRC channel through eggdrop (together with names of the hacker's friends and passwords), all on a machine with no rootkit installed and very little attempt to hide activity.
Basically I got lucky the first time, and ever since then I've been paranoid, in hopes there won't be a second time. But with a smart hacker and a good root kit, I think even with my paranoia that I could miss a hacker on my machine for a long time, so I suspect it is only a matter of time before some well known developer gets hacked and has signed sources distributed with a trojan horse inside.
LibBT: BitTorrent for C - small - fast - clean (Now Versio
I downloaded and installed libpcap and tcpdump on Nov 1. The versions I have came from tcpdump.org. md5sum shows that they have the correct checksum and not the trojaned checksum as reported on the Houston LUG page. A grep of the sources for the port number and ip found in the trojan reports null. It looks like the trojan files were placed on tcpdump.org after Nov 1, 2002.
FreeSpeech.org
Why do you think only an employee can trojan a binary, anyway? Most viruses modify binaries. Certainly many virus-infected binaries have been distributed professionally.
Bruce
Bruce Perens.
MD5 checks work nicely. Sure pgp in theory is better but since md5's are cached locally, and a helluva lot faster to check the chances that they will actually be used and verified are seemingly quite good.
Which is to say in practice MD5 has caught rather a lot of these problems, and in quite timely manner.
As irrelevant as various source-distributions (e.g. lunar, source-mage and Gentoo) are at present in other respects, they make a nice 'canary' in the coal mine :-).
Linux is Linux, if One need clarify their dist: <Dist>/GNU Linux
bsds are of course just BSD
Things aren't just *added* to the codebase of open source programs. You can't just walk up and pop some code into the codebase. It doesn't work that way. There always a code maintainer who reviews the changes before applying the patches. I can't think of any exceptions to this. Can you?
And doesn't display them even when you turn on the display of hidden and system files in explorer. Didn't you read the article?
I would complain if Konqueror didn't show me all dot files after I'd enabled viewing them, or if the history file was being backed up without my knowledge.
Igor Presnyakov stole my hat
If this troian got inside like the others (OpenSSH and Bind, IIRC), it was _not_ a patch submitted to the project. Simply, somebody rooted the FTP server and substitute the official tarball with the troyanize one.
In other words, the weak point that was exploited was not that anybody can contribute to an open source project ( which is not a weakness at all IMO) but that source tarballs are hosted on insufficiently protected FTP servers.
There are counter-measures against this weakness. As long as distros use them (and I hope they do), it is unlikely that one of these trojans will slip into an officia CD.
Ciao
----
FB
It should be easy to find this person. The trojan downloads evil code from a specific web site. This site is either the perps or was cracked by the perp. They will be hunted down.
There is virtually no way to be absolutely certain of the integrity of any code, unless you audit it yourself. Even fans of OpenBSD have to admit that they are trusting the OpenBSD auditors. Some would use this to argue that you can place greater trust in closed code. But, to use Microsoft as an example (but not to claim that they are the adminstrator of all evil), the infamous Word macro virus first appeared on a Microsoft beta release and I seem to recall a story a little over a year ago about Russian hackers having spent a few merry weeks in the Windows 2000 source code. Trust now?
The point is that we all use code on faith. Even should Palladium become reality, you are just transferring trust to another party. The lesson I think we in the Free Software community should take away from this is that we should make better use of the tools we have. We should should provide GPG signed MD5 checksums of all of our "official" tarballs. Some projects do this, some do not. As I just pointed out, this is not a guarantee, but it does provide a chain of accountability.