OpenSSH Package Trojaned

cperciva writes "The original story is here. And more details are available from the guy's weblog here." Here's a mirror of that email message. Another reader writes, "Not really a trojan because all it does is make a connection to 203.62.158.32:6667." Still another writes "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine." There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available. Update: 08/01 19:13 GMT by M : OpenSSH now has an advisory.

OpenBSD is holy!

[Anonymous Coward]

It's official: OpenBSD is holy. The Pope just announced the security hole itself.

Another blow to the *BSD movement, losing the support of Atheists all over the globe...

Or something.

hmmm....

[reaper20]

So the sources are bad but the binaries are good? Is today bizarro-world day or something?

Re:hmmm....

[Chester K]

So the sources are bad but the binaries are good? Is today bizarro-world day or something?

This is yet another example of why everyone should use proprietary closed source software! I bet nobody's ever been compromised through a trojan horse in the build process of Microsoft Word!

This is another victory for Open Source!!!

[Anonymous Coward]

Isn't it?

What's the big worry

[back@slash]

C:\>bf-output.sh
'bf-output.sh' is not recognized as an internal or external command,
operable program or batch file

This trojan doesn't look very 31337 to me.

Well, I guess that's what they get...

[MrBadbar]

...for hosting ftp.openbsd.org on a box running SunOS, not OpenBSD!

New catch phrase

[martinde]

It was "no remote holes in 5 years". Now it's "one remote hole in the default install, in nearly 6 years!"

Next it will be "one remote hole and one 'harmless trojan' in the default install, in really very close to 6 years!"

slashdot is missing a great opportunity to help

[back@slash]

The right thing to do here would be to put a link [203.62.158.32] in the article to port 80 of the receiver server of the trojan.

Let's see it try to work while the server is being /.'d into oblivion.

Re:Just a Thought to prevent this..

[yatest5]

If there would be some configure/make environment that prevents or asks before outgoing connections and checks for possibly dangerous commands, that are unusual to call upon a ./configure run, wouldn't that prevent things like this to happen again?


Yes, I recommend having the installation banned from creating / deleting / running any files.

Re:j00 R 0wn3d lol

[Anonymous Coward]

Ever heard of the "security patch" for XP and Media Player? Right in the EULA you give Micro$loth admin rights to your machine - hell, they put it in clear english! I'm sorry, but a media player should not be able to root the box, period. And the "fix" itself could be considered a trojan - one with a legal EULA to boot!

So you must not run XP, right? I know a guy who firewalls his XP box, not so much to keep others out, but to keep data in! He uses egress filters to stop unauthorized outgoing traffic. And, yes, XP tries to report back to Redmond.

This rogue code was caught within 6 hours. It would take at least 6 days for M$ to even admit that the trojan existed (that is, if they would admit to it at all). Micro$loths security record is hardly something to brag about. On the other hand, OpenBSD's record up til recently has been very impressive, to say the least.

Re:How many people do check the MD5 checksum?

[ckd]

With the ports system, they would have to change the checksum on FreeBSD's systems as well as the source on OpenBSD's site. Keeping them separate helps a lot.

So there are positive features to the *BSD splits after all! :-)

Re:hmmm....

[ThereIsNoSporkNeo]

Actually, at this point, most of us Slashdot posters have been replaced with chatbots and mine-detection robots. As we lack the programming language to simulate your ideal "Humor", we have simply posed as programmers and accountants.

To be honest, you're the only real human left. Sorry we missed you. You'll be getting a knock on your door shortly.

Don't worry... this is just the world pulled over you eyes.

Re:What's the big worry

[kludge99]

either does that C:\> prompt

Re:203.62.158.32

[cheezfreek]

I'd say the odds of this have to be about 2036215832:1.

I'm sorry. I shouldn't have inflicted my strange sense of humour on the world.

Re:I know who DID IT!

[Anonymous Coward]

Archer Daniels Midland?

I thought that they just trojaned congress...