TUCoPS :: BSD :: bsd5589.htm

ftp.openbsd.org - ftp.openbsd.org was owned, openbsd source tree is compromised
2nd Aug 2002 [SBWID-5589]
COMMAND

	ftp.openbsd.org was owned, openbsd source tree is compromised

SYSTEMS AFFECTED

	OpenSSH version 3.2.2p1,  3.4p1  and  3.4  have  been  trojaned  on  the
	OpenBSD ftp server and potentially propagated via the  normal  mirroring
	process to other ftp servers. The code was inserted  some  time  between
	the 30th and 31th of July. We replaced the  trojaned  files  with  their
	originals at 7AM MDT, August 1st.

PROBLEM

	 Editor's note

	 =============

	

	Unofficial  :  Some  pretty  trustworthy  source  told   us   that   the
	openbsd.org repository has been owned for the past two months, also  the
	OpenSSH bug has been actively exploited for the  past  four  months.  It
	seems the openbsd team hasn't publically leaked the info  out  for  they
	wanted to trace the attacker via some sort of honeypot.
	

	Niels Provos says :
	

	Anyone who has installed OpenSSH from the  OpenBSD  ftp  server  or  any
	mirror within that time frame should consider  his  system  compromised.
	The trojan allows the attacker to gain control  of  the  system  as  the
	user compiling the binary.  Arbitrary commands can be executed.
	

	When building the OpenSSH binaries, the trojan resides in bf-test.c  and
	causes code to execute which connects to a  specified  IP  address.  The
	destination port is normally used by  the  IRC  protocol.  A  connection
	attempt  is  made  once  an  hour.  If  the  connection  is  successful,
	arbitrary commands may be executed.
	

	Three commands are understood by the backdoor:
	

	Command A:  Kill the exploit.

	Command D:  Execute a command.

	Command M:  Go to sleep.

	

	

SOLUTION

	Verify that you did not build a trojaned version  of  the  sources.  The
	portable SSH tar balls contain PGP signatures that  should  be  verified
	before installation. You can also use the following  MD5  checksums  for
	verification.
	

	MD5 (openssh-3.4p1.tar.gz) =3D 459c1d0262e939d6432f193c7a4ba8a8=20

	MD5 (openssh-3.4p1.tar.gz.sig) =3D d5a956263287e7fd261528bb1962f24c

	MD5 (openssh-3.4.tgz) =3D 39659226ff5b0d16d0290b21f67c46f2

	MD5 (openssh-3.2.2p1.tar.gz) =3D 9d3e1e31e8d6cdbfa3036cb183aa4a01

	MD5 (openssh-3.2.2p1.tar.gz.sig) =3D be4f9ed8da1735efd770dc8fa2bb808a

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH