- Oct 10, 1999
- 16,565
- 6
- 71
*TROJAN INVADES OpenSSH
By Shawna McAlearney, Security Wire Digest
Copies of OpenSSH available for download on many popular sites have been tainted with a Trojan, according to warnings from OpenSSH, CERT and the National Infrastructure Protection Center (NIPC).
According to OpenSSH, versions 3.2.2p1/3.4p1/3.4 "have been Trojaned on the OpenBSD ftp server and potentially propagated via the normal mirroring process to other ftp servers." The advisories state that the code was inserted some time between July 30 and July 31. OpenSSH replaced the compromised files on Aug. 1.
Experts say systems where OpenSSH was installed from the OpenBSD ftp server or any mirror within that time frame should be considered compromised. The Trojan allows the attacker to gain control of the system as the user compiles the binary. Though the malicious code isn't particularly sophisticated, it's a remotely controllable program that could give attackers root access.
Recommended mitigations include conducting a port scan on internal networks for port tcp/22 to find undocumented systems; checking the MD5 hashes of the source distributions used against the "clean list" provided on the OpenSSH Web site; and verifying the date/time of download/installation of the source distribution, to see if it matches the window during which the Trojan was being distributed.
Openssh.org
Cert.org
RIPC.gov
By Shawna McAlearney, Security Wire Digest
Copies of OpenSSH available for download on many popular sites have been tainted with a Trojan, according to warnings from OpenSSH, CERT and the National Infrastructure Protection Center (NIPC).
According to OpenSSH, versions 3.2.2p1/3.4p1/3.4 "have been Trojaned on the OpenBSD ftp server and potentially propagated via the normal mirroring process to other ftp servers." The advisories state that the code was inserted some time between July 30 and July 31. OpenSSH replaced the compromised files on Aug. 1.
Experts say systems where OpenSSH was installed from the OpenBSD ftp server or any mirror within that time frame should be considered compromised. The Trojan allows the attacker to gain control of the system as the user compiles the binary. Though the malicious code isn't particularly sophisticated, it's a remotely controllable program that could give attackers root access.
Recommended mitigations include conducting a port scan on internal networks for port tcp/22 to find undocumented systems; checking the MD5 hashes of the source distributions used against the "clean list" provided on the OpenSSH Web site; and verifying the date/time of download/installation of the source distribution, to see if it matches the window during which the Trojan was being distributed.
Openssh.org
Cert.org
RIPC.gov
Glad they caught it when they did.
Facebook
Twitter