[Fwd: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan
Where does SuSE stand on this?
Apparently libpcap and tcpdump have been trojaned, in a similar way to openssh earlier this year. Information about how long this has been the case is sketchy. Trojaned versions appear to have made it out to a number of mirrors.
Further details can be found at http://hlug.fscker.com (mirror http://www2.def-con.org/mirror/hlug.fscker.com/ appears to work).
The tarballs available at www.tcpdump.org appear to still be trojaned.
Good sources: http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7 .1.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6 .2.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7 .1.tar.gz
MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
Trojaned sources: http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz
MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 when the configure script is run. Sites with logs of network traffic may wish to check for connections to this IP over recent days.
We would be interested in hearing about any machines found to be compromised using this route.
Regards John Green
JANET-CERT Tel: +44 1235 822340 UKERNA Fax: +44 1235 822398 Atlas Centre cert@cert.ja.net Chilton, Didcot Oxfordshire OX11 0QS United Kingdom
On Wed, Nov 13, 2002 at 03:41:20PM +0000, Simon Oliver wrote:
Where does SuSE stand on this?
We immediately checked our pcap and tcpdump source from 8.1 and didn't find any trace of the backdoor. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
Hi, Does this mean all supported versions from 8.1 down are free from this trojaned code? Reg'ds Dre -----Original Message----- From: Olaf Kirch [mailto:okir@suse.de] Sent: 13 November 2002 16:03 To: Simon Oliver Cc: security Subject: Re: [suse-security] [Fwd: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan On Wed, Nov 13, 2002 at 03:41:20PM +0000, Simon Oliver wrote:
Where does SuSE stand on this?
We immediately checked our pcap and tcpdump source from 8.1 and didn't find any trace of the backdoor. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
On Wed, Nov 13, 2002 at 04:18:46PM -0000, arawak wrote:
Does this mean all supported versions from 8.1 down are free from this trojaned code?
Yes. It should also be noted that the trojan code is not in the _binary_, it's only run when _building_ the package. Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
On Wed, Nov 13, 2002 at 05:03:21PM +0100, Olaf Kirch wrote:
We immediately checked our pcap and tcpdump source from 8.1 and didn't find any trace of the backdoor.
There was a post to the tcpdump mailinglist, that it is currently assumed
that the infection took place on november 11th
Ciao
Jörg
--
Joerg Mayer
participants (4)
-
arawak
-
Joerg Mayer
-
Olaf Kirch
-
Simon Oliver