[GLLUG] [Fwd: [expert] Blackhats and md5sums]
Mike Rambo
mrambo@lsd.k12.mi.us
Fri, 02 Aug 2002 07:45:41 -0400
This is a multi-part message in MIME format.
--------------08826325DF2F643F0ADE5E35
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Just ran across this on the Mandrake list. Since I know some of you guys
use some version of BSD I thought it might be a good idea to pass it on.
Sorry if this is already known or doesn't apply (FreeBSD instead of
OpenBSD or whatever...).
--
Mike Rambo
mrambo@lsd.k12.mi.us
-------- Original Message --------
Subject: [expert] Blackhats and md5sums
Date: Thu, 01 Aug 2002 13:34:19 -0800
From: civileme <civileme@civileme.net>
Reply-To: expert@linux-mandrake.com
To: expert@linux-mandrake.com, newbie@linux-mandrake.com
Well, if you think you are safe rebuilding from source, think again...
1. Systems affected:
OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
OpenBSD ftp server and potentially propagated via the normal mirroring
process to other ftp servers. The code was inserted some time between
the 30th and 31th of July. We replaced the trojaned files with their
originals at 7AM MDT, August 1st.
2. Impact:
Anyone who has installed OpenSSH from the OpenBSD ftp server or any
mirror within that time frame should consider his system compromised.
The trojan allows the attacker to gain control of the system as the
user compiling the binary. Arbitrary commands can be executed.
-----
(http://www.openssh.org/txt/trojan.adv)
So unless you've built OpenSSH from source in the last couple of days,
you
should be OK. Anyone who upgraded to 3.4 back in June when it came out
should be fine.
Of course if people downloading openssh checked it against the md5sum on
the site, they would have discovered a "bad download". In actuality,
someone inserted source to contact a remote server. How they managed to
get that on a site running OpenBSD is another question entirely, since
it is supposed to be the most secure thing around.
This illustrates once again that security is a process, and that no
system is inherently secure. Some systems make it a little easier to
lock down and some make themselves nigh-on impossible to protect. And
it is a huge mistake to entrust security to a computer system and forget
the human component of such systems which can cause circumvention of the
best-designed computer measures.
Civileme
--------------08826325DF2F643F0ADE5E35
Content-Type: text/plain; charset=us-ascii;
name="message.footer"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="message.footer"
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
--------------08826325DF2F643F0ADE5E35--