[tcpdump-announce] initial comments on trojan attack (fwd)

From: Jonas Eriksson (je@sekure.net)
Date: 11/16/02

  • Next message: Joseph Wagner: "GNU GCC: Optimizer Removes Code Necessary for Security" 
    Date: Sat, 16 Nov 2002 11:32:22 +0100 (CET)
From: Jonas Eriksson <je@sekure.net>
To: bugtraq@securityfocus.com

    ---------- Forwarded message ----------
    Date: Fri, 15 Nov 2002 19:40:47 -0500
    From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
    Reply-To: tcpdump-workers@sandelman.ottawa.on.ca
    To: tcpdump-announce@tcpdump.org
    Subject: [tcpdump-announce] initial comments on trojan attack

    -----BEGIN PGP SIGNED MESSAGE-----

    1) the machine hosting cvs.tcpdump.org was likely compromised
       between Nov. 7th and Nov. 10th at 18:24pm.

       The method was likely through an unpatched openssh daemon.
       (The rest of my servers run SSH.com)
       I have not yet confirmed this for sure.

    2) an additional public key was added to the .ssh/authorized_keys
       file for my account. This account was used to install the trojan
       files at 10:14am, Monday Nov. 11.

    3) The machine was taken offline around 11am Wednesday Nov. 13th.
       The machine is also my mail relay, and stealth DNS primary for
       unsigned (non-DNSSEC) zones.
       As such, the machine has been left on, with no default route,
       but able to exchange DNS and SMTP with others.

    4) I have examined the mirrors and confirmed that many mirror operators
       did not take the code offline. Therefore, I've restored the proper
       files, and restored connectivity to the mirror sites.

       The restored files are from my laptop.
       The md5sum of the files on my laptop match those provided by CERT,
       and the files on sourceforge.net.

       I have additional signed the files with my key. We will generate
       a key for really doing this.

       I have not restored 3.6.2, as I haven't yet tracked a perfect copy
       of this, but will soon.

    5) I will edit the web site soon to provide this information.

    6) I think that we should release a 3.7.1b or .2 or something, no
       code change, just to flush things out.

    7) the machine will get flushed (i.e. reformatted) when I return from
       Atlanta/IETF. I expect to limp along until then in this configuration.
       This means that there will be no anon-cvs, and no SSH access.

    ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
    ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
    ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
    ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.7 (GNU/Linux)
    Comment: Finger me for keys

    iQCVAwUBPdWUDYqHRg3pndX9AQEfOwP5AeHn5F0+mML8l1mlKTSGPbRDE+0Q6t3N
    lnUn9+nnmchT/ULyI4ayMGpVkjWfg/DUN/ShuLqjn72jFKLgxqt5DVo6Zy1ASoeu
    o6GXrQEPuG6diBW1s6AMnRyAKUxNB+Dr9Wqun+OzXhO+VNgRx6j4M39ckdltzG17
    QeG26TVMq70=
    =wGS3
    -----END PGP SIGNATURE-----
    -
    This is the TCPDUMP announcement list. It is archived at
    http://www.tcpdump.org/lists/announce/maillist.html
    To unsubscribe use mailto:tcpdump-announce-request@tcpdump.org?body=unsubscribe

    Loading