[SATLUG] CERT Advisory CA-2002-24 Trojan Horse OpenSSH Distribution
Lincoln
hotrodls at ix.netcom.com
Tue Aug 6 10:25:03 CDT 2002
I cannot remember if I saw this on this list or not since I have seen it from
a couple of other places (my apologies if it was posted here -I have been on
the road a lot lately)... The CERT has issued an advisory concerning a Trojan
in OpenSSH:
http://www.cert.org/advisories/CA-2002-24.html
A quick excerpt from the Description:
The CERT/CC has received confirmation that some copies of the source code for
the OpenSSH package have been modified by an intruder and contain a Trojan
horse. The following advisory has been released by the OpenSSH development
team
http://www.openssh.com/txt/trojan.adv
The following files were modified to include the malicious code:
openssh-3.4p1.tar.gz
openssh-3.4.tgz
openssh-3.2.2p1.tar.gz
These files appear to have been placed on the FTP server which hosts
ftp.openssh.com and ftp.openbsd.org on the 30th or 31st of July, 2002. The
OpenSSH development team replaced the Trojan horse copies with the original,
uncompromised versions at 13:00 UTC, August 1st, 2002. The Trojan horse copy
of the source code was available long enough for copies to propagate to sites
that mirror the OpenSSH site.
The Trojan horse versions of OpenSSH contain malicious code that is run when
the software is compiled. This code connects to a fixed remote server on
6667/tcp. It can then open a shell running as the user who compiled OpenSSH.
More information about the Satlug
mailing list