Re: ssh trojaned

From: Eirik Seim (default@stengt.net)
Date: 08/01/02


Date: Thu, 1 Aug 2002 22:41:39 +0200 (CEST)
From: Eirik Seim <default@stengt.net>
To: Steve Wright <stevew@cwazy.co.uk>

On Thu, 1 Aug 2002, Steve Wright wrote:

> Hello,
>
> I'm no programmer so I'm hoping someone can confirm this for me..
> I am correct in thinking the trojan currently in OpenSSH portable 3.4p1 only
> runs during compilation ?

From Christian Bahls' post on bugtraq, this trojan simply creates a file
called conftest.c, and tries repeatedly to compile and run it naming the
binary after $USER's shell, during compilation of OpenSSH. Thats all.

> ie a copy of ssh compiled using this source will not have anything nasty
> build into it ?

In plain english: No. Not from _this_ particular trojan. You should
consider your system compromized as it could have been wide open while
compiling, but before you panic, remember that this trojan was (according
to Niels Provos in a recent post to bugtraq) inserted between 30. and 31.
of July, and removed at 7AM MDT August 1st.

If you didnt touch your OpenSSH install before 30. of July, and stay away
from the mirrors until they're clean, you should be safe.

Oh, and the guys that inserted the trojan might easily had access to more
on the same ftp site, and subsequently also its mirrors. If you don't
usually verify checksums, now is a great time to start doing so.

- Eirik

-- 
New and exciting signature!