From: Vitaly Kushneriuk <vitaly_kushneriuk@yahoo.com>
To: Rob Kaper <cap@capsi.com>
Cc: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] possible trojan in openssh-3.4p1
Date: 01 Aug 2002 12:18:53 +0300 [thread overview]
Message-ID: <1028193533.12255.17.camel@uranus.u235.eyep.net> (raw)
In-Reply-To: <20020801103714.A26100@capsi.com>
On Thu, 2002-08-01 at 11:37, Rob Kaper wrote:
> Pat, Neil, Gentoo devs, KDE friends:
>
> >From #kde-freebsd:
>
> <knu> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz is trojaned
> <tap> nothing on google either
> <knu> steals /etc/passwd to send to a certain IRC network and removes itself
> <Capzilla> knu : says who
> <knu> see the code, but never run make
> <knu> openbsd-compat/{Makefile.in,bf-test.c}
>
> Looks like some weird stuff is in there indeed.
>
> md5sum of the binary that appears to be trojaned:
>
> 3ac9bc346d736b4a51d676faa2a08a57 openssh-3.4p1.tar.gz
>
> As far as I can see, compiled binaries are *not* affected, but you might
> want to carefully examin this more closely (I'm waiting with upgradepkg en
> emerge on my systems until there's some more info). We've had a few hoaxes
> recently, but this looks suspicious.
>
> My apologies if this is just a storm in a glass of water.
>
> Rob
> --
> Rob Kaper | Gimme some love, gimme some skin,
> cap@capsi.com | if we ain't got that then we ain't got much
> www.capsi.com | and we ain't got nothing, nothing! -- "Nothing" by A
> _______________________________________________
> gentoo-dev mailing list
> gentoo-dev@gentoo.org
> http://lists.gentoo.org/mailman/listinfo/gentoo-dev
>
It's indeed looks like a trojan. It doesn't send you'r etc/passwd tho.
It connects to the 203.62.158.32[web.snsonline.net.] port 6667[irc]
and opens shell session on that connection, so that whoever is in
control there will be able to execute arbitraty commands on your system
with you'r current privileges. especialy dangerouus if you compile as
root.
/Vitaly.
next prev parent reply other threads:[~2002-08-01 9:18 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-08-01 8:37 [gentoo-dev] possible trojan in openssh-3.4p1 Rob Kaper
2002-08-01 8:46 ` Rob Kaper
2002-08-01 9:18 ` Vitaly Kushneriuk [this message]
2002-08-01 10:10 ` Eric Noack
2002-08-01 10:34 ` Terje Kvernes
2002-08-01 10:47 ` Rob Kaper
2002-08-01 10:56 ` Terje Kvernes
[not found] ` <200208011505.42361.bastiaf@gmx.de>
2002-08-01 13:35 ` Terje Kvernes
2002-08-01 13:39 ` Rob Kaper
2002-08-01 21:17 ` Spider
2002-08-02 7:36 ` Johannes Findeisen
2002-08-02 12:18 ` [gentoo-dev] " A.Waschbuesch
2002-08-02 12:02 ` Johannes Findeisen
2002-08-03 10:40 ` [gentoo-dev] " A.Waschbuesch
2002-08-03 16:09 ` [gentoo-dev] " Jean-Michel Smith
2002-08-03 17:19 ` [gentoo-dev] " A.Waschbuesch
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1028193533.12255.17.camel@uranus.u235.eyep.net \
--to=vitaly_kushneriuk@yahoo.com \
--cc=cap@capsi.com \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox