From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 4.0.0 (2022-12-14) on finch.gentoo.org X-Spam-Level: ** X-Spam-Status: No, score=2.1 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DMARC_REJECT,FORGED_YAHOO_RCVD,FREEMAIL_FROM,MAILING_LIST_MULTI, NICE_REPLY_A,RDNS_NONE,SPOOFED_FREEMAIL_NO_RDNS autolearn=no autolearn_force=no version=4.0.0 Received: from uranus.u235.eyep.net (unknown [194.90.113.98]) by chiba.3jane.net (Postfix) with SMTP id DC43FABD97 for ; Thu, 1 Aug 2002 04:18:56 -0500 (CDT) Received: (qmail 16711 invoked by uid 1000); 1 Aug 2002 09:18:53 -0000 Subject: Re: [gentoo-dev] possible trojan in openssh-3.4p1 From: Vitaly Kushneriuk To: Rob Kaper Cc: gentoo-dev@lists.gentoo.org In-Reply-To: <20020801103714.A26100@capsi.com> References: <20020801103714.A26100@capsi.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.8 Date: 01 Aug 2002 12:18:53 +0300 Message-Id: <1028193533.12255.17.camel@uranus.u235.eyep.net> Mime-Version: 1.0 Sender: gentoo-dev-admin@gentoo.org Errors-To: gentoo-dev-admin@gentoo.org X-BeenThere: gentoo-dev@gentoo.org X-Mailman-Version: 2.0.6 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: Gentoo Linux developer list List-Unsubscribe: , List-Archive: X-Archives-Salt: 105a6436-72bc-4a73-99e1-b493562ab155 X-Archives-Hash: 63862a8aea7c0a5621b94e6a066cf088 On Thu, 2002-08-01 at 11:37, Rob Kaper wrote: > Pat, Neil, Gentoo devs, KDE friends: > > >From #kde-freebsd: > > ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz is trojaned > nothing on google either > steals /etc/passwd to send to a certain IRC network and removes itself > knu : says who > see the code, but never run make > openbsd-compat/{Makefile.in,bf-test.c} > > Looks like some weird stuff is in there indeed. > > md5sum of the binary that appears to be trojaned: > > 3ac9bc346d736b4a51d676faa2a08a57 openssh-3.4p1.tar.gz > > As far as I can see, compiled binaries are *not* affected, but you might > want to carefully examin this more closely (I'm waiting with upgradepkg en > emerge on my systems until there's some more info). We've had a few hoaxes > recently, but this looks suspicious. > > My apologies if this is just a storm in a glass of water. > > Rob > -- > Rob Kaper | Gimme some love, gimme some skin, > cap@capsi.com | if we ain't got that then we ain't got much > www.capsi.com | and we ain't got nothing, nothing! -- "Nothing" by A > _______________________________________________ > gentoo-dev mailing list > gentoo-dev@gentoo.org > http://lists.gentoo.org/mailman/listinfo/gentoo-dev > It's indeed looks like a trojan. It doesn't send you'r etc/passwd tho. It connects to the 203.62.158.32[web.snsonline.net.] port 6667[irc] and opens shell session on that connection, so that whoever is in control there will be able to execute arbitraty commands on your system with you'r current privileges. especialy dangerouus if you compile as root. /Vitaly.