Re: Trojan/backdoor in fragroute 1.2 source distribution

From: Dug Song (dugsong@monkey.org)
Date: 05/31/02


Date: Fri, 31 May 2002 12:34:49 -0400
From: Dug Song <dugsong@monkey.org>
To: bugtraq@securityfocus.com

On Fri, May 31, 2002 at 09:55:21AM +0200, Anders Nordby wrote:

> Although downloading it now seems safe, I think folks should know
> this. The changes done were similar to what happened to irssi, but
> with a different IP.

monkey.org was compromised on May 14th, via an epic4-pre2.511
client-side hole which produced a shell to one of the local admin's
accounts. this was later used to reattach to one of his screen
sessions, which apparently had a root window open (su very bad!).

the dsniff-2.3, fragroute-1.2, and fragrouter-1.6 tarballs were all
modified at 3 AM on May 17th to include the same configure backdoor as
described in the irssi advisory. no other public web content was
modified, and the system was restored a week later, from scratch.
the correct checksums are:

MD5 (dsniff-2.3.tar.gz) = 183e336a45e38013f3af840bddec44b4
MD5 (fragroute-1.2.tar.gz) = 7e4de763fae35a50e871bdcd1ac8e23a
MD5 (fragrouter-1.6.tar.gz) = 73fdc73f8da0b41b995420ded00533cc

of the 1951 hosts that successfully downloaded one of the backdoored
tarballs, 992 of them were Windows machines and 193 were automated
ports downloads for the *BSD dsniff or fragrouter ports, leaving 746
Linux (and a few Solaris and MacOS) hosts potentially vulnerable, and
20 FreeBSD and OpenBSD hosts.

we have since migrated our system to OpenBSD-current, importing Niels
Provos' excellent systrace subsystem:

        http://www.citi.umich.edu/u/provos/systrace

which allows us to run all user sessions under a restricted syscall
policy (e.g. so an IRC client cannot exec(), open() anything outside
~/.irc, etc.), similar in spirit to Goldberg and Wagner's Janus
sandbox, or Cowen's SubDomain.

in the future, our software distributions may carry embedded
signatures via gzsig:

        http://www.monkey.org/~dugsong/gzsig-0.1.tar.gz

but for the time being, please be careful what you download, and
carefully audit or sandbox any third-party scripts or software you
run...

-d.

---
http://www.monkey.org/~dugsong/



Relevant Pages

  • Trojan/backdoor in fragroute 1.2 source distribution
    ... Although downloading it now seems safe, I think folks should know this. ... +/* Override any gcc2 internal prototype to avoid an error. ... rm -rf conftest* ... Irssi backdoor page: http://www.irssi.org/?page=backdoor ...
    (Bugtraq)
  • Re: Cant download files with IE 6
    ... it seems to do fine at the same sites my laptop fails at and the ... > the hosts file looks fine, but I'm starting to suspect some sort of malware ... >> the desktop has no problem downloading anything. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Internet explorer sending me where I dont want to go.
    ... What is the downfall to downloading a firewall? ... Will a firewall even fix this problem since it has already ... >called 'hosts'. ...
    (microsoft.public.security)
  • Re: Since SP2, some ad frames in IE6 dont show up
    ... ads.geocities.com) then you can make an entry in your "hosts" file. ... the IP address of 127.0.0.1 .Your computer does not have the graphics ... downloading anything from the site you don't need or want to download. ...
    (microsoft.public.windowsxp.general)
  • Re: REINSTALLING windows 2000 pro
    ... >recognizing the other one, I was happy when I was ... >downloading this file but do not work ... hosts is at http://www.mvps.org/winhelp2002/hosts.htm ... and stinger at http://vil.nai.com/vil/stinger/ ...
    (microsoft.public.win2000.general)