Where does SuSE stand on this?
Apparently libpcap and tcpdump have been trojaned, in a similar way to openssh earlier this year. Information about how long this has been the case is sketchy. Trojaned versions appear to have made it out to a number of mirrors.
Further details can be found at http://hlug.fscker.com (mirror http://www2.def-con.org/mirror/hlug.fscker.com/ appears to work).
The tarballs available at www.tcpdump.org appear to still be trojaned.
Good sources: http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7 .1.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6 .2.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7 .1.tar.gz
MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz
Trojaned sources: http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz
MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz
The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 when the configure script is run. Sites with logs of network traffic may wish to check for connections to this IP over recent days.
We would be interested in hearing about any machines found to be compromised using this route.
Regards John Green
JANET-CERT Tel: +44 1235 822340 UKERNA Fax: +44 1235 822398 Atlas Centre cert@cert.ja.net Chilton, Didcot Oxfordshire OX11 0QS United Kingdom