Re: Trojan/backdoor in fragroute 1.2 source distribution

From: uid0@catastrophe.net
Date: 05/31/02


Date: Fri, 31 May 2002 10:48:29 -0500
From: uid0@catastrophe.net
To: bugtraq@securityfocus.com

On Fri, 2002-05-31 at 09:55:21 +0200, Anders Nordby wrote...

; Although downloading it now seems safe, I think folks should know this.
; The changes done were similar to what happened to irssi, but with a
; different IP.
;
; MD5 sum of fragroute-1.2.tar.gz, downloaded from
; http://www.monkey.org/~dugsong/fragroute/ on may 27 (the contaminated
; version): 65edbfc51f8070517f14ceeb8f721075
;
; MD5 sum of fragroute-1.2.tar.gz, downloaded from
; http://www.monkey.org/~dugsong/fragroute/ on may 30 (this is the current
; MD5 sum): 7e4de763fae35a50e871bdcd1ac8e23a

This makes one wonder a question that would be best posed to the community;
the purpose of MD5/SHA/etc is to provide unequivocal evidence as to the
validity of a piece of data. More often than not, such files are kept in the
same, vulnerable, location as the actual data. Clearly one can see the
downfall of such a system.

To what extent have the entities in this forum started to analyze methods
by which to use a "trusted" third party to house such signatures of data?
In my mind, it seems evident that a light system might take some of the
functionaility of the trusted CA model in SSL, and use it to provide
guaranteed (as much as one can) signatures.

This might be a good discussion for another forum, but I'm curious to know
if anything as such is being done.

-#0



Relevant Pages

  • Re: MD5SSUM-check minimal Ubuntu CD image.
    ... So based on the MD5 sum, it looks like you got the same ISO I did. ... This is the MD5SUM-code I found after downloading this image: ... Neither of these two pages has listed the MD5SUM code for 'mini.iso'. ...
    (Ubuntu)
  • Centralized Database of MD5Signatures
    ... Like a large database of valid MD5 signatures for those opensource authors who want to take part in it. ... Although downloading it now seems safe, I think folks should know this. ... MD5 sum of fragroute-1.2.tar.gz, ...
    (Security-Basics)
  • Re: [Full-disclosure] Re: Case ID 51560370 - Notice of ClaimedInfringement
    ... > situation that cannot be resolved without downloading both files. ... expend more effort because they can't just go after the MD5 sum. ... have *some* trust it's not corrupted. ... If you change the size, date, and MD5 hash and rename it to "Frozzle-bar.doc", ...
    (Full-Disclosure)
  • Re: Setup MD5 Checksum for FTP downloads on Win2000 Server OS
    ... This is what many of them use for windows to check MD5 Sum ... > Now I am looking for a way so that the people downloading these files can also verify the checksum for these downloads - please advice a way. ... > SafeNet India, New Delhi, India ...
    (Focus-Microsoft)
  • Re: After updates, Office for Mac v.X wont accept valid key! I am locked out of programs
    ... I read in a forum that I should updated by downloading and ... What you read in a forum is dead wrong. ... The Office Open XML Converter is a standalone application. ... drag .docxfiles to the application window toconvertthem to .doc files. ...
    (microsoft.public.mac.office.word)