Trojan Found in libpcap and tcpdump 486
msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."
Glad I use Gentoo (Score:4, Informative)
How did it get into tcpdump.org's sources exactly? The HLUG page isn't clear.
Seems (Score:2, Informative)
Seems now more than ever the need to check the authenticity of your sources before installing.
As if security auditing wasnt a big enough headache already
mirrors for a just in case (Score:1, Informative)
blah blah blah... just don't feel like fscker dying all by itself. yadda yadda yadda, beowulf cluster hootie hoo, slashdot should cache unfta unf, I need head
Re:This Trojan thing... (Score:5, Informative)
And he only might have done it (can you tell?)
See http://www.acm.org/classics/sep95/ [acm.org] for more details
Re:This is dreadful (Score:2, Informative)
Now, good GPG signatures would have helped.
Re:Eventually, this would happen (Score:0, Informative)
closed src doesn't have its src on some webserver for some kiddie to trojan in the first place. sure the possibility of some employee or the employer itself to trojan the src, but most open source trojans are someone breaking into the web server and uploading modified src. by definition this wont happen with closed src since closed src doesn't release src, so your argument is irrelevant.
Re:Eventually, this would happen (Score:5, Informative)
Does that mean that this trojan has been around for almost a year before anybody noticed? If that's true, it does not meet my definition of "easily detected".
Re:Siltakoski Petri is somehow connected with this (Score:3, Informative)
Oh wait, perhaps he's just the tech guy working for the company which registered the domain "raketti.net", Kuopion Puhelin. It's a telecom and net operator after all.
Re:Siltakoski Petri is somehow connected with this (Score:4, Informative)
Yes and no. The information you have successfully received from the Whois database is pointing to the phone company in Finland, which happens to be a host for raketti.net domain. Petri Siltakoski is just an administrative contact of the ISP (Raketti.Net). He has nothing to do with the web page set up by an individual who seems to have an account in this ISP.
Reply from a mirror site to HLUG and tcpdump.org (Score:5, Informative)
To : msolnik@hlug.org
Cc : wt-changes@wiretapped.net,
tcpdump-workers@tcpdump.org,
mcr@sandelman.ottawa.on.ca
Subject : tcpdump.org mirrors
----- Message Text -----
Hi guys,
I run the main mirror of tcpdump at wiretapped.net (no relation to wiretapped.us) in Australia. We rsync from cvs.tcpdump.org, and have removed the entire tcpdump.org tree and disabled rsync updates until we hear from Michael Richardson at tcpdump.org.
You may like to add this info to your Updates area, as the unavailability of the main mirror site may seem suspicious. It is not, as described above.
Because wiretapped.net itself is mirrored to a few other sites, it may take between 1 hour and 24 hours for this removal (and any subsequent re-addition) to take effect. We'll note when it goes back online at http://www.wiretapped.net/changelog.html
Hope this assists in preventing any further spread,
Grant
www.wiretapped.net
Re:So much for peer auditing? (Score:5, Informative)
let me make sure to put pillows over the sharp corners of the table.
this was found, just last night, because of the change in the md5 checksum.
this md5 checksum changed because the file changed.
this file changed because someone changed it
so in conclusion, this file has not been like this for a year
hope you were able to keep up
Re:So much for peer auditing? (Score:2, Informative)
Since there are no md5 sums or gpg signatures listed on tcpdump.org it makes it very easy for someone to simply replace the source. Only those that check md5 sums and gpg signatures will know if it is truly trojaned or not.
I hope that the tcpdump people will start provided md5 sums and gpg signatures for those that build from source.
Re:as soon as this evening... (Score:5, Informative)
If you read the article more carefully, you will notice that the binaries aren't trojaned. This is a trojan in the build scripts only. So ironically, only the paranoids who build from source (but aren't paranoid enough to demand an MD5) got hit by this.
Re:Glad I use Gentoo (Score:5, Informative)
SRC_URI="http://www.tcpdump.org/release/
http://www.jp.tcpdump.org/release/${P}.tar.gz"
SRC_URI is a last resort mirror..
Lucily the MD5 sum catched the trojan: (From the gentoo ebuild digest)
MD5 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz 428737
facts, not fiction. (Score:5, Informative)
follow the link posted already, read it and try to understand what he fundamentally tries to tell you. then go and read aleph1's 'smashing the stack for fun and profit' and try to get a glimpse of what 'hacking' was considered in the 80s.
Re:This Trojan thing... (Score:5, Informative)
debian all good (Score:1, Informative)
rgoldber@supercomputer:~$ md5sum tcpdump_3.6.2.orig.tar.gz
6bc8da35f9eed4e675bfdf04ce312248 tcpdump_3.6.2.orig.tar.gz
rgoldber@supercomputer
03e5eac68c65b7e6ce8da03b0b0b225e tcpdump_3.7.1.orig.tar.gz
rgoldber@supercomputer
0597c23e3496a5c108097b2a0f1bd0c7 libpcap_0.7.1.orig.tar.gz
NO!!!! NO!!! NO!!! (Score:5, Informative)
Do this: Download gpg from gnupg.org. Build it. Generate yourself a key. Try to get some of your friends to sign it. submit it to keyserver.net. Sign your code with that key. While you're at it, start using kmail, evolution, or mozilla with enigmail and start signing your emails too. Do it religiously.
Check sigs when you download code too.
Re:Eventually, this would happen (Score:5, Informative)
I downloaded libpcap/0.7.1 from tcpdump.org on September 2 of this year (just 2 months ago), and it was not trojaned (I keep a record of md5 sums, and was able to check this just now).
Probably whoever modified the file just touched it to resotre the original timestamp. This is trivial to do.
Re:One too many? (Score:3, Informative)
http://www.openssl.org/news/secadv_20020730.txt says that is vulnerable.
Sandbox Your Applications (Score:5, Informative)
In the meanwhile, I suggest that you run all your untrusted software in a sandbox like Systrace [umich.edu] which is available for the BSDs and Linux.
This screenshot [umich.edu] shows Dug Song detecting the trojan in the Fragroute [monkey.org] distribution. Systrace allows you to run completely untrusted applications in a sandbox. The security policy is created on the fly with the user deciding what an application is allowed to do.
We need to be much more careful about the software that we run.
Re:One too many? (Score:3, Informative)
That being said, that alone is not enough. Everyone should run their updates nightly, and make sure their security don't collapse completely once one box has been taken.
However, I would like to take the opportunity to applaud the honeynet people who actively act like sitting ducks in order to protect the rest of us.
a quick test to see if your hit (Score:4, Informative)
tcpdump -n host 212.146.0.34 &
telnet 212.146.0.34 1963
if tcpdump sees the connection since it isn't ignoring port 1963, if you don't see the connection, then your tcpdump is ignoring port 1963
and well, its always nice to
the people at 212.146.0.34 should change it to something like
if this test is wrong, well, so be it, i'm still new at this linux thing, but i'm better at linux then i am at spelling (boy, i should be an
--Anonymous Coward
Early news from tcpdump.org (Score:5, Informative)
"ls -c" says that the modified binaries were installed at Nov 11 10:14:00 2002 GMT.
Preliminary inspection says that the CVS repository is O.K.
Re:as soon as this evening... (Score:5, Informative)
To be useful the MD5 file should be signed, and the GPG key that signed it should be one that you know and trust. Even that may not be enough if the key owner can be tricked into revealing his private key, or the trojan horse can be introduced into the code on the code owners development machine, but it does add one layer of depth to your security.
The first time I had a server hacked (mountd exploit, xmas '99) the machine details were sold on IRC, probably in exchange for credit card numbers, to a somewhat clueless Singapore exchange student who proceeded to delete all of my syslog files so that when I logged in remotely the root mailbox was full of complaints about missing logfiles. The rooted system was up for about a week, during which time it probed several thousand IPs for basic exploits, hosted an IRC channel through eggdrop (together with names of the hacker's friends and passwords), all on a machine with no rootkit installed and very little attempt to hide activity.
Basically I got lucky the first time, and ever since then I've been paranoid, in hopes there won't be a second time. But with a smart hacker and a good root kit, I think even with my paranoia that I could miss a hacker on my machine for a long time, so I suspect it is only a matter of time before some well known developer gets hacked and has signed sources distributed with a trojan horse inside.
Date of Trojan is after Nov 1, 2002 (Score:5, Informative)
Re:Eventually, this would happen (Score:5, Informative)
Why do you think only an employee can trojan a binary, anyway? Most viruses modify binaries. Certainly many virus-infected binaries have been distributed professionally.
Bruce
phew? --- just how carefully did you read? :-) (Score:3, Informative)
MD5 checks work nicely. Sure pgp in theory is better but since md5's are cached locally, and a helluva lot faster to check the chances that they will actually be used and verified are seemingly quite good.
Which is to say in practice MD5 has caught rather a lot of these problems, and in quite timely manner.
As irrelevant as various source-distributions (e.g. lunar [lunar-linux.org], source-mage [sourcemage.org] and Gentoo [gentoo.org]) are at present in other respects, they make a nice 'canary' in the coal mine :-).
Re:Eventually, this would happen (Score:3, Informative)
Re:Eventually, this would happen (Score:3, Informative)
And doesn't display them even when you turn on the display of hidden and system files in explorer. Didn't you read the article?
I would complain if Konqueror didn't show me all dot files after I'd enabled viewing them, or if the history file was being backed up without my knowledge.
Re:Eventually, this would happen (Score:3, Informative)
If this troian got inside like the others (OpenSSH and Bind, IIRC), it was _not_ a patch submitted to the project. Simply, somebody rooted the FTP server and substitute the official tarball with the troyanize one.
In other words, the weak point that was exploited was not that anybody can contribute to an open source project ( which is not a weakness at all IMO) but that source tarballs are hosted on insufficiently protected FTP servers.
There are counter-measures against this weakness. As long as distros use them (and I hope they do), it is unlikely that one of these trojans will slip into an officia CD.
Re:Early news from tcpdump.org (Score:2, Informative)
The distributions from sourceforge are safe. See
http://www.sourceforge.net/projects/tcpdump/ [sourceforge.net] http://www.sourceforge.net/projects/libpcap/ [sourceforge.net]
The MD5s of safe versions that HLUG provided appear to be correct; my own MD5 says:
MD5 (tcpdump-3.7.1.tar.gz) = 03e5eac68c65b7e6ce8da03b0b0b225e
MD5 (libpcap-0.7.1.tar.gz) = 0597c23e3496a5c108097b2a0f1bd0c7
Re:Eventually, this would happen (Score:3, Informative)
There is virtually no way to be absolutely certain of the integrity of any code, unless you audit it yourself. Even fans of OpenBSD have to admit that they are trusting the OpenBSD auditors. Some would use this to argue that you can place greater trust in closed code. But, to use Microsoft as an example (but not to claim that they are the adminstrator of all evil), the infamous Word macro virus first appeared on a Microsoft beta release and I seem to recall a story a little over a year ago about Russian hackers having spent a few merry weeks in the Windows 2000 source code. Trust now?
The point is that we all use code on faith. Even should Palladium become reality, you are just transferring trust to another party. The lesson I think we in the Free Software community should take away from this is that we should make better use of the tools we have. We should should provide GPG signed MD5 checksums of all of our "official" tarballs. Some projects do this, some do not. As I just pointed out, this is not a guarantee, but it does provide a chain of accountability.