Re: Re: ssh trojaned

From: Jonas Anden (dajudge@home.se)
Date: 08/05/02


From: Jonas Anden <dajudge@home.se>
To: vuln-dev@securityfocus.com
Date: 05 Aug 2002 19:27:09 +0200


> or perhaps, if I am mirror A have a watchdog script compare my md5 sum to
> every other md5 sum accross the mirrors, and take some action should the
> ratio of unmatching MD5's falls below a certain percentage...

Should the published MD5 sum of a file I have mirrored be different on
*ANY* of the other mirrors (or the primary site) be different from the
calculated MD5 sum of my file, all sorts of bells and whistles should go
off. Something is wrong; either my copy or their copy is bad. Either
way, something needs to be done about it.

Such a scheme would have
a) stopped the mirroring of the trojaned ssh package.
b) detected the trojaned ssh package much faster.

  // J