Re: ssh trojaned

From: Eirik Seim (default@stengt.net)
Date: 08/01/02


Date: Thu, 1 Aug 2002 22:41:39 +0200 (CEST)
From: Eirik Seim <default@stengt.net>
To: Steve Wright <stevew@cwazy.co.uk>

On Thu, 1 Aug 2002, Steve Wright wrote:

> Hello,
>
> I'm no programmer so I'm hoping someone can confirm this for me..
> I am correct in thinking the trojan currently in OpenSSH portable 3.4p1 only
> runs during compilation ?

From Christian Bahls' post on bugtraq, this trojan simply creates a file
called conftest.c, and tries repeatedly to compile and run it naming the
binary after $USER's shell, during compilation of OpenSSH. Thats all.

> ie a copy of ssh compiled using this source will not have anything nasty
> build into it ?

In plain english: No. Not from _this_ particular trojan. You should
consider your system compromized as it could have been wide open while
compiling, but before you panic, remember that this trojan was (according
to Niels Provos in a recent post to bugtraq) inserted between 30. and 31.
of July, and removed at 7AM MDT August 1st.

If you didnt touch your OpenSSH install before 30. of July, and stay away
from the mirrors until they're clean, you should be safe.

Oh, and the guys that inserted the trojan might easily had access to more
on the same ftp site, and subsequently also its mirrors. If you don't
usually verify checksums, now is a great time to start doing so.

- Eirik

-- 
New and exciting signature!



Relevant Pages

  • Re: ssh trojaned
    ... since OpenSSH sits on the OpenBSD server, has anyone else checked the sigs of any of the obsd stuff? ... The trojaned code ... > On Thu, 1 Aug 2002, Steve Wright wrote: ... >> I am correct in thinking the trojan currently in OpenSSH portable 3.4p1 only ...
    (Vuln-Dev)
  • trojan in an non-official mirror?
    ... Does anyone know if the the official SRPMs: ... for openssh are effected by the trojan? ... in all of the reading that i've ...
    (comp.security.ssh)