[GLLUG] [Fwd: [expert] Blackhats and md5sums]

Mike Rambo mrambo@lsd.k12.mi.us
Fri, 02 Aug 2002 07:45:41 -0400


This is a multi-part message in MIME format.
--------------08826325DF2F643F0ADE5E35
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Just ran across this on the Mandrake list. Since I know some of you guys
use some version of BSD I thought it might be a good idea to pass it on.
Sorry if this is already known or doesn't apply (FreeBSD instead of
OpenBSD or whatever...).


--
Mike Rambo
mrambo@lsd.k12.mi.us



-------- Original Message --------
Subject: [expert] Blackhats and md5sums
Date: Thu, 01 Aug 2002 13:34:19 -0800
From: civileme <civileme@civileme.net>
Reply-To: expert@linux-mandrake.com
To: expert@linux-mandrake.com, newbie@linux-mandrake.com

Well, if you think you are safe rebuilding from source, think again...


1. Systems affected:

OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
OpenBSD ftp server and potentially propagated via the normal mirroring
process to other ftp servers.  The code was inserted some time between
the 30th and 31th of July.  We replaced the trojaned files with their
originals at 7AM MDT, August 1st.

2. Impact:

Anyone who has installed OpenSSH from the OpenBSD ftp server or any
mirror within that time frame should consider his system compromised.
The trojan allows the attacker to gain control of the system as the
user compiling the binary.  Arbitrary commands can be executed.
-----

(http://www.openssh.org/txt/trojan.adv)

So unless you've built OpenSSH from source in the last couple of days,
you
should be OK.  Anyone who upgraded to 3.4 back in June when it came out
should be fine.

Of course if people downloading openssh checked it against the md5sum on 
the site, they would have discovered a "bad download".  In actuality, 
someone inserted source to contact a remote server.  How they managed to 
get that on a site running OpenBSD is another question entirely, since 
it is supposed to be the most secure thing around.  

This illustrates once again that security is a process, and that no 
system is inherently secure.  Some systems make it a little easier to 
lock down and some make themselves nigh-on impossible to protect.  And 
it is a huge mistake to entrust security to a computer system and forget 
the human component of such systems which can cause circumvention of the 
best-designed computer measures.

Civileme
--------------08826325DF2F643F0ADE5E35
Content-Type: text/plain; charset=us-ascii;
 name="message.footer"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="message.footer"

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com


--------------08826325DF2F643F0ADE5E35--