[TriLUG] Fwd: OpenSSH Security Advisory: Trojaned Distribution Files
Mike Mueller
mjm-58 at mindspring.com
Thu Aug 1 12:32:44 EDT 2002
On Thursday 01 August 2002 12:11, Brian Daniels reputedly wrote:
> > > 1. Systems affected:
> > >
> > > OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
> > > OpenBSD ftp server and potentially propagated via the normal mirroring
> > > process to other ftp servers. The code was inserted some time between
> > > the 30th and 31th of July. We replaced the trojaned files with their
> > > originals at 7AM MDT, August 1st.
>
> ...
>
> > > When building the OpenSSH binaries, the trojan resides in bf-test.c
><snip>
> The _really_ scary question is how they got into openbsd.org, and what else
> did they mess with?
Would the problem have been caught if the MD5s were checked, or were the
checksums compromised as well? If the checksums were compromised, then can
anything anywhere be trusted?
--
m
More information about the TriLUG
mailing list