[TriLUG] Fwd: OpenSSH Security Advisory: Trojaned Distribution Files

Brian Daniels bitmage at bellsouth.net
Thu Aug 1 12:11:13 EDT 2002


> > 1. Systems affected:
> > 
> > OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
> > OpenBSD ftp server and potentially propagated via the normal mirroring
> > process to other ftp servers.  The code was inserted some time between
> > the 30th and 31th of July.  We replaced the trojaned files with their
> > originals at 7AM MDT, August 1st.
> > 
...
> > 
> > When building the OpenSSH binaries, the trojan resides in bf-test.c

Things that make your blood run cold in the morning.  I downloaded 3.4p1 
yesterday at 5:43pm from ftp.openbsd.org to install on our webserver.

Oddly enough, it's not the trojaned version.  No bf-test.c.  And I got 
stuck on the ./configure step and had to go deal with another problem so I 
never got to make.

I think this is the first time I've ever been glad that ./configure failed. 
:-)

The _really_ scary question is how they got into openbsd.org, and what else 
did they mess with?

Brrr.

--Brian

-- 
Question with boldness even the existence of a god;
because if there be one he must approve of the
homage of reason more than that of blindfolded fear.

--Thomas Jefferson, Aug. 10, 1787


Brian Daniels                  bitmage at bellsouth.net
      http://www.eviloverlord.net




More information about the TriLUG mailing list