OpenSSH Package Trojaned 574
cperciva writes "The original story is here.
And more details are available from the guy's weblog here." Here's a mirror of that email message. Another reader writes, "Not really a trojan because all it does is make a connection to 203.62.158.32:6667." Still another writes "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine." There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available. Update: 08/01 19:13 GMT by M : OpenSSH now has an advisory.
OpenBSD is holy! (Score:0, Funny)
Another blow to the *BSD movement, losing the support of Atheists all over the globe...
Or something.
hmmm.... (Score:4, Funny)
Re:hmmm.... (Score:4, Funny)
This is yet another example of why everyone should use proprietary closed source software! I bet nobody's ever been compromised through a trojan horse in the build process of Microsoft Word!
This is another victory for Open Source!!! (Score:1, Funny)
What's the big worry (Score:5, Funny)
'bf-output.sh' is not recognized as an internal or external command,
operable program or batch file
This trojan doesn't look very 31337 to me.
Well, I guess that's what they get... (Score:3, Funny)
New catch phrase (Score:4, Funny)
Next it will be "one remote hole and one 'harmless trojan' in the default install, in really very close to 6 years!"
slashdot is missing a great opportunity to help (Score:0, Funny)
Let's see it try to work while the server is being
Re:Just a Thought to prevent this.. (Score:5, Funny)
Yes, I recommend having the installation banned from creating / deleting / running any files.
Re:j00 R 0wn3d lol (Score:2, Funny)
So you must not run XP, right? I know a guy who firewalls his XP box, not so much to keep others out, but to keep data in! He uses egress filters to stop unauthorized outgoing traffic. And, yes, XP tries to report back to Redmond.
This rogue code was caught within 6 hours. It would take at least 6 days for M$ to even admit that the trojan existed (that is, if they would admit to it at all). Micro$loths security record is hardly something to brag about. On the other hand, OpenBSD's record up til recently has been very impressive, to say the least.
Re:How many people do check the MD5 checksum? (Score:3, Funny)
So there are positive features to the *BSD splits after all! :-)
Re:hmmm.... (Score:2, Funny)
To be honest, you're the only real human left. Sorry we missed you. You'll be getting a knock on your door shortly.
Don't worry... this is just the world pulled over you eyes.
Re:What's the big worry (Score:2, Funny)
Re:203.62.158.32 (Score:1, Funny)
I'm sorry. I shouldn't have inflicted my strange sense of humour on the world.
Re:I know who DID IT! (Score:2, Funny)
I thought that they just trojaned congress...