OpenSSH Package Trojaned 574
cperciva writes "The original story is here.
And more details are available from the guy's weblog here." Here's a mirror of that email message. Another reader writes, "Not really a trojan because all it does is make a connection to 203.62.158.32:6667." Still another writes "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine." There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available. Update: 08/01 19:13 GMT by M : OpenSSH now has an advisory.
MD5 sums (Score:5, Informative)
Re:MD5 sums (Score:3, Informative)
I think it's okay now (Score:5, Interesting)
This really sucks since I woke up only like 10 minutes ago and find that the most downloaded file from your site may be trojaned. I have a distinct feeling that the rest of my day isn't going to be much better.
hmmm.... (Score:4, Funny)
Re:hmmm.... (Score:4, Funny)
This is yet another example of why everyone should use proprietary closed source software! I bet nobody's ever been compromised through a trojan horse in the build process of Microsoft Word!
Re:hmmm.... (Score:2, Insightful)
Re:hmmm.... (Score:2, Funny)
To be honest, you're the only real human left. Sorry we missed you. You'll be getting a knock on your door shortly.
Don't worry... this is just the world pulled over you eyes.
Re:hmmm.... (Score:2)
- A really good joke requires at least three people:
-
One to tell the joke
- One to get the joke
- One to laugh at for completely missing the joke
Looks like we've got all three here.-- unknown
Nice joke!
Re:hmmm.... (Score:4, Informative)
Further reading [freebsd.org]
Re:Gentoo... (Score:3, Informative)
Since its only a build issue... (Score:2, Interesting)
Or am I thinking far too simply for my own good again?
Re:Since its only a build issue... (Score:3, Informative)
@ $(CC) bf-test.c -o bf-test;
The backdoor code will still be there, but it won't be built. Or, alternatively, just wait for it to be fixed. Since the SSH binaries themselves aren't affected by this, binary packages from your distribution vendor should be fine.
Re:Since its only a build issue... (Score:3, Informative)
This was just one type of trojan. Some others could go dormant for several hours before contacting the world outside. Simply "building the binaries with plug off the wall" is not a solution. It's a knee-jerk reaction and still at fault. The correct way is to check the package against a MD5sum or (preferably) GPG signature - and if possible, these should be at a different machine on a different network from the tarballs.
On the other hand, just looking at the trojan source quickly, it looks very much like a slightly evolved version of those found in irssi, BitchX, dsniff and fragroute configure scripts. This has already been noted by some other individual here as well. See his post for links.
I'm suprised... (Score:2, Insightful)
People keep harping on about how open source software means that they can trust downloaded source code, but who actually reads through to source code for something before they actually compile?
Usually it's just
James
Re:I'm suprised... (Score:4, Interesting)
It's also why I spend (some say waste) a few idle cycles now and again just perusing code - it only takes one person to notice an anomaly. The more aggregate cycles spent reviewing code, the better the systems get.
Re:I'm suprised... (Score:2)
This shows why: 1. Businesses can choose to trust software developed by random volunteers whose 'peer group' contains people of all sorts, with all sorts of political ideologies.
Rendering the group aggregately free of all of the biases and ulterior motives those political ideologies may bring to the project.
or 2. Businesses can choose to trust software developed by managed teams of developers.
Whose motives are clearly defined as breaking everyone else's stuff and planned obsolescence, to name a few.
Do the math. The fact that the entire SNMP protocol was a gaping security hole was known for MONTHS to the likes of Cisco and Nortel, and we were allowed to go on ignorantly using insecure technology while their managed teams of developers came up with patches. If you'd rather not know when something is insecure, I suppose closed source is for you. I choose to be aware of how my systems operate.
Re:I'm suprised... (Score:2)
or
2. Businesses can choose to trust software developed by managed teams of developers.
What makes you think proprietary developers are any less political or any better "managed" than those working on open source?
John Q. Public isn't going to read through the source code. He isn't capable of reading through the source code.
They can't carry out their own examination of proprietary software. Nor can they rely on third party reviews, because of EULA conditions. At least it is possible for anyone to learn a computer language. There isn't (yet) a law against that.
Re:I'm suprised... (Score:2)
MD5.
I do scan through some of the code I compile now and then. If everyone does this, it should catch a lot of these "additions".
OTOH, MD5 does not hurt. For instance, it helps to keep my FreeBSD box secure as in this case.
Ummm, not quite. (Score:2)
If they have a competent IT organization they have a team that will check that the software does not make any funnies.
Add to that just curious people, people modifying the software to their own needs, etc. and you get an army of people looking for problems and improvements.
That beats CSS in many instances (not all certainly), does not seem any worse and is more reassuring (the people evaluating normally do not have a vested interest in making the software work other than to satisfy their own needs).
Re:I'm suprised... (Score:2)
Don't think it would have taken 6 months. Might have taken about a week. Something which "phones home" would always tend to draw attention to itself. There are tools for identifying which process is opening which socket, even for Windows.
Security, Antisecurity and a Purposeless Anecdote (Score:4, Interesting)
And on the other hand, there's stories like this one and that [slashdot.org] one about anti-security "features" in the same package.
Now, my question is this: is this indicative of open-source development projects, in general? [Yeah, it's faster to fix issues, but if the distros are *causing* issues in the first place, well....
Reminds me of a company I worked for that was timebombed by a previous programmer. Unfortunately for him, when we looked at the source code, all was well (he'd copied the sources back over his modified ones used in the binary build)
Anyway, I can't see how a disgruntled coder could really affect an open-source project, unless there's personality factors at play that I don't know about. Anyone have some meat on this OpenSSL mess?
suggestion: changing the main ftp openbsd site (Score:2)
I suppose that a mirror has better chances to be managed with motivation and skill, surely more than a solaris box in a university actually has.
also, the mirror should run openbsd itself...
Re:suggestion: changing the main ftp openbsd site (Score:2)
How many people do check the MD5 checksum? (Score:3, Insightful)
Also, how many people do read the makefiles before running them on your machine? And when installing binaries require root access?
If this story is really true, how much safer is open-source programs, when compared with closed source programs? Notice that even with closed source programs, *some* people will eventually discover that they are trojan or not.
Re:How many people do check the MD5 checksum? (Score:5, Informative)
The same is true of other systems like the Red Hat Network.
Re:How many people do check the MD5 checksum? (Score:2)
The port system includes MD5 sums when you download the port system or checkout it from cvs.
Re:How many people do check the MD5 checksum? (Score:2, Informative)
I don't know what OS you are talking about. Debian apt automatically [debian.org] checks MD5sums, Red Hat network uses cryptographic certificates to verify package integrity, even Windows has a package verification system.
Re:How many people do check the MD5 checksum? (Score:2)
For example, RedHat Network verifies downloads. The problem here is that the network was not too comprehensive, not really that integrated into the 'core' of the package management (more of an add-on, so it's not necessarily in your face every time you deal with package installs), and is made inconvenient by its cost. Not saying it is bad to charge for it, just that for most users out there the service is not enough of an added benefit to justify the cost. Hell even trying to stick to RPMs at all falls through, even if not sticking to red hat network. When I ran redhat, what redhat provided was pretty slim choice of packages from them, and what was there was outdated by the time they shipped, and not many independent projects offered RPMs, so most of my system was unmanaged....
Now debian with apt is more comprehensive and loads more convenient (free, 'more' in your face than rhn, but there is still dpkg). Of course packages still out of date....
Now my current favorite is gentoo with its portage system. Truly the core of the 'package' management system is so tightly intertwined with the distribution system that it's hard to ignore. They stay almost entirely cutting edge and nearly everything I want is in there. The one thing I had always admired about the BSDs was the ports system, but the hardware support under linux was better, so gentoo is a good medium....
Of course none of this is possible on a commercial platform fed by commercial apps. First off, payment methods complicate distribution. Secondly, in a group of businesses in it for the money, what sane business would make it easy to get *competing* software? For example, MS's 'windows update' sometimes offers free MS apps, but beyond that, nothing comes out of it. Even if Nero was free, and even if Zoomplayer is free *and* better than Windows Media Player, MS would never distribute them as they would compete and threaten MS's future hold over tight drm control in the future...
Re:How many people do check the MD5 checksum? (Score:3, Insightful)
I'm a little confused. How can you trust a package to check it's own MD5 checksum? If I'd slipped a malicious program into another app, the next thing I would do is hack the checking code to falsly tell the user than the checksum is fine.
Re:How many people do check the MD5 checksum? (Score:5, Informative)
Re:How many people do check the MD5 checksum? (Score:4, Interesting)
I've been wondering about this - and the answer is almost certainly not.
I've written a fairly widespread mp3/ogg streamer [gnump3d.org]. I used to list MD5 sums on the download page - but recently I've switched to signing with my GPG key.
(On the basis that if somebody altered the downloads they'd be capable of fixing up the MD5sums file in the same directory too).
Taking a look at the download statistics [sourceforge.net] you can see that about 1 person in 50 downloaded the signature file to match their archive.
That suggests that 2% of people routinely check signatures. I assume that less people check the code than check the signatures so ... it's probably safe to say that no more than 0.5% of people do.
Re:How many people do check the MD5 checksum? (Score:3, Interesting)
Re:How many people do check the MD5 checksum? (Score:5, Interesting)
We can model something along the lines of DNS, and have the download/build process do a 'lookup' on (say) openssh-3.4p1.packages.net, to get the MD5 sum, and compare it with whats on hand.
Never underestimate the power of a bunch of pissed-off nerds... :)
Re:How many people do check the MD5 checksum? (Score:2, Insightful)
Well, the problem with the md5 checksum is that it only protects against download errors, not against replacement at the server (unless you have an independent source for that checksum): It's trivial to calculate the checksum for the changed package, and if you manage to replace the package file, you most probably manage to replace the file with the md5 key as well.
The only way to really secure against such replacements is to use public-key cryptography to sign the package. Then no one can recreate the signature without having the private key.
Maybe for installing, a safer way would be to give the user account temporarily access to the destination directories, then install as a user, and finally change owner permissions by hand. Of course this won't work if installation consists of more than just copying files to other directories, and this extra stuff needs root permissions. However, I guess that's rare.
Re:How many people do check the MD5 checksum? (Score:2)
Re:How many people do check the MD5 checksum? (Score:3, Funny)
So there are positive features to the *BSD splits after all! :-)
DUH! (Score:2)
My major gripe is that most of us lazy bastards (he, me too!) will compare:
Like, if I were a Trojan cracker I wouldn't make sure to regenerate the md5sum on the web page to match up perfectly with the new tar ball!
If someone can replace blah.tar.gz they have a fair chance at being able to replace a blah.html file.
It really points up how good security for distributed packages depends on getting signatures and hashes distributed out to lots of different places in lots of different ways to make it much more difficult for a Trojan author to compromise that many different independent points of verification.
If we don't bother to use distributed verification to check the authenticity of our software, then we have only ourselves to blame for the consequences.
Checksum...? (Score:5, Interesting)
Re:Checksum...? (Score:3, Informative)
Re:Checksum...? (Score:2)
This looks like a strong argument for locating the checksums elsewhere, or for GPG signing tarballs instead of MD5 checksums. I've always looked at MD5 as more useful for spotting accidental corruption than intentional.
Idle curiosity (Score:3, Informative)
Re:Idle curiosity (Score:4, Informative)
Re:Idle curiosity (Score:3, Informative)
This is not quite up to the standard I had come to expect from Debian.
My apologies go to anyone who was misled by my earlier statements.
Trojan (Score:5, Interesting)
Tell me how this isn't a trojan again? A remotely controllable program that could possibly give the attacker root access?
It wasn't orgianally like that. (Score:5, Informative)
So if the file was modified it happen later.
Re:It wasn't orgianally like that. (Score:5, Informative)
The datestamp on the modified file was Jul 31, so it does look like it's been changed recently.
Trojan executes code read via /bin/sh (Score:3, Informative)
But it reads from the connection and executes the read code via /bin/sh. You call this not a trojan?
Trojaned source distributions (Score:5, Interesting)
At this point I think we need to make the assumption that the problem is a bit more common than viewing these compromises individually would suggest, and perhaps these individual events can even be linked together.
And for the developers out there, I think it's time to check over all of your current distributed source tarballs.
OpenSSH (Score:5, Informative)
M respawned the process.
A killed the trojan.
D launched
With the D command, as given _to_ the trojan, the daemon on 203:62.158.32:6667 was given control of the trojaned users system shell. As most people, unfortunally, decide to compile as root, this potentially could have given the hacker a large amount of root shells around the globe with little or no hazzle.
Funny, this is. Expect more trojans that look like this, but in a better disguise.
-- Hans.
What's the big worry (Score:5, Funny)
'bf-output.sh' is not recognized as an internal or external command,
operable program or batch file
This trojan doesn't look very 31337 to me.
Healthy versions still available..? (Score:2, Informative)
juan:~> md5sum openssh-3.4p1.tar.gz
459c1d0262e939d6432f193c7a4
ftp://ftp.fr.openbsd.org/pub/OpenBSD/OpenSSH/po
My analysis (Score:4, Informative)
So the backdoor is in the Makefile, not the OpenSSH software itself.
One thing to mention is that IMHO this is not a fault of OpenBSD. As anyone can read in their FAQ [openbsd.org] www.openbsd.org (and ftp.openbsd.org) is run on Solaris.
Re:Not the fault of OpenBSD? (Score:4, Informative)
Slashdotted (copy of the weblog) (Score:5, Informative)
01 August 2002 - 19:10:23 - OpenSSH 3.4p1 package trojaned
And all I was thinking was "Oh! I should upgrade ssh on these two machines before there are problems...". The beauty of FreeBSD is that it goes like this:
[~] edwin@k7>cd
[/usr/ports
[/usr/ports/security/openssh-porta
Easy euh? It went well, except for the second step:
===> Extracting for openssh-portable-3.4p1_7
>> Checksum mismatch for openssh-3.4p1.tar.gz.
Make sure the Makefile and distinfo file (/usr/ports/security/openssh-portable/distinfo)
check, type "make NO_CHECKSUM=yes [other args]".
*** Error code 1
Euh... I didn't remember seeing a change in the FreeBSD ports regarding this. And I didn't see an announcement for it from the people from OpenSSH... Oh well, it happens. I downloaded the new openssh-tarball:
-r--r--r-- 1 12187 mirror 840574 Jul 31 16:47 openssh-3.4p1.tar.gz
-r--r--r-- 1 12187 mirror 232 Jun 26 08:20 openssh-3.4p1.tar.gz.sig
That's weird, they've rerolled the tarball without updating the signature file. I asked a couple of people on irc (#sage-au) if they have had troubles with compiling openssh the last days. Yups, ^Sarge^@bofh.snsonline.net also had it, he had a checksum mismatch.
Curious as I was, I extracted the old and new tarball and this were the differences:
[~/test] edwin@k7>diff -r -u openssh-3.4p1-old openssh-3.4p1
diff -r -u openssh-3.4p1-old/openbsd-compat/Makefile.in openssh-3.4p1/openbsd-compat/Makefile.in
--- openssh-3.4p1-old/openbsd-compat/Makefile.in Wed Feb 20 07:27:57 2002
+++ openssh-3.4p1/openbsd-compat/Makefile.in Thu Feb 1 08:52:03 2001
@@ -26,6 +26,7 @@
$(CC) $(CFLAGS) $(CPPFLAGS) -c $bf-test.out; sh
$(COMPAT):
$(OPENBSD):
Only in openssh-3.4p1/openbsd-compat: bf-test.c
At this moment I asked a couple of people on irc (#sage-au) if they have had troubles with compiling openssh the last days. Yups, ^Sarge^@bofh.snsonline.net also had it, also a checksum mismatch. Time to go deeper into it...
bf-test.c is a weird file. It talks about HP-UX PL.2 systems, it talks about _CRAY notes, it talkes about none-T3E machines, it talks about _ILP64__ and it does an epcdic2ascii() call. I'm not very skilled in computers (well, I am
bf-test itself is pretty harmless, it only prints things to the screen (remember the change in the makefile? execute, redirect the output and execute the output). The shell script it prints creates a C program and tries to compile it. If it doesn't succeed at first, it tries to link other libraries (everybody who has ever ported a Solaris knows that you have to explicitely link to libresolv et al). So it's cross-platform
The C code is not that smart. It tries once per hour to connect to port 6667 on the machine 203.62.158.32 which is web.snsonline.net and waits for commands from the person or persons who 0wn3d the machine. Does it get an M, it sleeps for another hour. Does it get an A, it will abort. Does it get an M, it will spawn a shell. Some people will build it "normal" privileges and install it as root: they will get a shell with "normal" privileges. Other people will build it with "root" privileges and the shell will have "root" privileges.
While analyzing the code on #sage-au and mentioning the hostname, ^Sarge^ looked strangely at me (well, it's IRC so you never know but that's what I would do): "That is my machine.". The good news is that I didn't have to worry about finding out who manages the machine!
The next step is to inform somebody who manages the openssh-packages: The OpenBSD team. Up to right now, I have had no experience with the OpenBSD team (if you check my website you'll see that I'm more a FreeBSD guy
*** MavEtJu has joined #openbsd
Euh... anybody from the openssh-team here?
I have some news for you...
What's up?
I have contact! Marius asked me the standard questions (how did you find out, how can I see it, when did you find out) and after some investigation he said "I think I'd better call (and now I have forgotten the name)". Coolies! I think I found a right person to talk to! It looks like things are going to roll now, I can take my hands of it.
The last things I did were writing some emails to a couple of mailinglists and guide ^Sarge^ to #openbsd. For the rest I wasn't of very much use anymore, so I just kept monitoring #openbsd. And the logfile of my website, which went ballistic.
Aftermatch
* The portable version wasn't the only which was trojaned, the normal version was also.
* It seems it took only six hours before somebody was alert enough to see that there was something wrong, all thanks to the checking of the MD5-checksum [insert a sweet 'aaaaaahhh' here]
* OpenSSH itself wasn't trojaned, the tarball was. There is nothing wrong with OpenSSH itself (this time
* The building of a port (under FreeBSD at least) is done as root with all its privileges. This is a wrong approach. For a time I tried, as an experiment, to build ports as user "port". This worked fine except for the "make clean" part, in which I couldn't remove the files created during the "make install" phase and the files which were made during the building of the RUN_DEPENDS ports.
Re:Slashdotted (copy of the weblog) (Score:2)
MASTER_SITE_BACKUP?= \
ftp://ftp5.freebsd.org/pub/FreeBSD/ports/distfile
MASTER_SITE_OVERRIDE?= ${MASTER_SITE_BACKUP}
I'm using ftp5. YMMV. However, when ports and packages trickle in from the maintainers, they're always found on the FreeBSD mirror and this makes for faster downloads.
Well, I guess that's what they get... (Score:3, Funny)
New catch phrase (Score:4, Funny)
Next it will be "one remote hole and one 'harmless trojan' in the default install, in really very close to 6 years!"
Re:New catch phrase (Score:2, Informative)
Next it will be "one remote hole and one 'harmless trojan' in the default install, in really very close to 6 years!"
No it wont, because the trojan was only in the source to the portable version. OpenBSD ships with a binary which is from the unpatched source.
The real issue is persistence (Score:2, Interesting)
How many companies are going to tell a new programmer to go ahead and spend 6 months reading through all the code? How many companies encourage all the programmers to look at old code, check every line every couple weeks and perform extensive regression testing? From my own experience, few companies look at old code and the regression testing is typically a narrow focus on the functional aspects. Things like a trojan aren't going to be caught by the typical regression testing procedures.
On my free time, I do read through open source code for fun. From my own biased experience, open source code tends to be much cleaner and better documented than closed source projects. This isn't including all the PERL code I've seen written in creative ways to make visual art. I've also seen clean PERL code, but that's another story. Back to the point. Persistence is what wins in the end when it comes to security. The minute a person get lazy is when an attack will happen. But I seriously doubt this will change in the near future, since it's really a matter of culture. Businesses can't afford to have a team of programmers to sit around and audit their security every couple months. So unless our culture changes and realizes quality is more important than convienance, things like this will continue to increase in frequency. Of course everyone living in a modern techno society is guilty of it. But that's not to say technology is the cause of it, though they are related.
Why not hack the md5 checksums? (Score:2, Insightful)
So, in this case, couldn't someone just as easily generate an md5 sum for the hacked file and put that in the sum file? I know on bsd you have ports which would prevent this, but what about Linux? Everything would seem kosher if the hax0r replaced the sum file...
thx for responses.
Re:Why not hack the md5 checksums? (Score:3, Interesting)
This is a solved problem. Red Hat, for example, GPG signs the MD5SUM file. So you can verify that the person who created the MD5SUM was authorized to do so.
Open Source PKI Needed? (Score:4, Interesting)
On a related note, does Debian use anything to prevent this from happening? I for one don't worry too much when doing an update, maybe I should...
Re:Open Source PKI Needed? (Score:3, Insightful)
As far as trojaning individual
Every time this comes up on debian-devel the end result is a classic example of "the best is the enemy of the good". The suggestions for minimal signing of anything (say, having the process that creates the Packages file sign it) are always rejected because they wouldn't address the whole problem. (What if master.debian.org were hacked?) Unfortunately, no one can ever come up with an acceptable consensus definition on what the whole problem actually is, so nothing ever comes close to being implemented.
GnuPG a good idea (Score:2, Insightful)
Re:GnuPG a good idea (Score:4, Informative)
Real cryptographic signing, like that mentioned in the grandparent post, involves hashing the tarball using a strong hash, and then encrypting that hash using the private key of the signer. Then, any person can retrieve the public key of the signer and verify that the "signature" is legitimate by attempting to decrypt the hash (this is probably not strictly correct with the way things really work, but the concept is, AFAIK, correct). The point is that the only person who can "sign" the tarball is limited to only legitimate people (or organizations). So, if the signature for the tarball is valid, you can guarantee it was signed by someone you trust, and so you can trust the code.
hostinfo (Score:2, Interesting)
snsonline.net
$ whois 203.62.158.32
% How to use the APNIC Whois Database www.apnic.net/db/
% Upgrade to Whois v3 on 20 August 2002 www.apnic.net/whois-v3
% Whois data copyright terms www.apnic.net/db/dbcopyright.html
inetnum: 203.62.158.0 - 203.62.159.255
netname: AUSTRALIANINTER-AU
descr: Australian Internet Solutions Pty Ltd
descr: Suite 3, Level 5, 277 Flinders Lane
descr: Melbourne
descr: VIC 3001
country: AU
admin-c: DA53-AP
tech-c: DA53-AP
mnt-by: MAINT-AU-KALED
changed: register@aunic.net 19970211
changed: aunic-transfer@apnic.net 20010525
changed: hostmaster@apnic.net 20011115
source: APNIC
person: Domain Administrator
address: Level 4,
address: 180 Bourke St,
address: Melbourne, 3000.
country: AU
phone: +61-3-9650-5566
fax-no: +61-3-9639-1897
e-mail: kaled@dalek.ains.net.au
nic-hdl: DA53-AP
mnt-by: MAINT-NEW
changed: kaled@dalek.ains.net.au 20010619
source: APNIC
I've apparently triggered the lameness filter with this... BTW, I can ping this host, so it's still up. However:
$ telnet 203.62.158.32 6667
Trying 203.62.158.32...
telnet: Unable to connect to remote host: Connection refused
Looks like they closed that port?
Portscan of the backdoor IP (Score:2, Interesting)
the backdoor tries to connect to:
nmap options (where options is filtered by Slashdot)
ALRIGHT FSCK THIS!! You'll just have to take my
word for it the nmap showed the port closed (do it yourself) I've just tried 10 different ways to submit the nmap output and the lameness filters won't let it through.
Note that port 6667 does not appear to be open, although a backdoor is still a pretty big thing
to worry about. Also note that much of the output
is cut out due to LAME Slashdot filters.
Prescient Alan Cox / Theo exchange (Score:5, Interesting)
We've been trying to warn vendors about 3.3 and the need for privsep, but they really have not heeded our call for assistance. They have basically ignored us. Some, like Alan Cox, even went further stating that privsep was not being worked on because "Nobody provided any info which proves the problem, and many people dont trust you theo" and suggested I "might be feeding everyone a trojan" (I think I'll publish that letter -- it is just so funny).
Please do publish that letter, Theo. That would be very interesting.
PU
Re:Prescient Alan Cox / Theo exchange (Score:2)
Trolling for karma, eh? (Score:4, Insightful)
If he'd have said, "for all we know, OpenBSD could attract near-earth bodies" would you post this comment as "eerily prescient" on the recent asteroid stories? Sometimes things just aren't related. Despite what Mulder may think.
Could Freenet, GnuNET help here? (Score:2, Interesting)
Great! (Score:2)
So, it was introduced, caught and demonstrably fixed in under 24 hours, with full disclosure and openness at every step. Excuse me if I see no cause for panic.
And can anyone explain how this is even in the same ballpark as the "w3 0wnz j00r b0xen" EULA's, 'phone home's and brazenly trojan updates that Microsoft are inflicting on their customers?
How to fix this from the site it's calling (Score:3, Insightful)
yes "A" | nc -p 6667
Then every daemon that connects gets an A right away, and thus dies. End of problem.
FYI: Gentoo OK (Score:3, Interesting)
End result: no one in Gentoo has been able to compile/emerge openssh for the last few days.
Which is good :-)
Re:Gentoo is Good to Go (Score:3, Insightful)
why now? this whole episode seems to be a good example of the current system working well... tarball trojaned, ports system detects md5 mismatch, no compromise, no problem.
blocking network traffic (Score:3, Informative)
In particular, if the machine in question is a server (usually the reason you have SSH on a box), you should make every possible effort to remove outgoing traffic. There's usually no reason for a server to create outgoing connections to the internet, and if it needs to connect to any specific local resources (e.g. a database machine), limit the iptables/routers appropriately.
Re:203.62.158.32 (Score:3, Insightful)
I dunno if thats what this one does though.
Re:203.62.158.32 (Score:3, Informative)
But in this circumstance, I don't believe it is the case. The trojan connects to port 6667, which is usually ircd. Outgoing connections to irc servers are not exactly uncommon in those boxes that run any kind of flavour of *nix. Hence, it's not a connection that really attracts attention by itself. It looks like a connection to a stand-alone ircd in netstat reading. Also, because irc is so common service to use, the firewall setups are likely to allow this through.
The other end of that connection, however, was more than likely running something totally unrelated to irc. After all, the connection itself is somewhat like a backward rsh. (I believe it actually bears the name "bindshell"...) This was a very basic case of trojan: install a backdoor that calls home and allows to execute commands remotely.
Re:203.62.158.32 (Score:2, Informative)
The C code is not that smart. It tries once per hour to connect to port 6667 on the machine 203.62.158.32 which is web.snsonline.net and waits for commands from the person or persons who 0wn3d the machine. Does it get an M, it sleeps for another hour. Does it get an A, it will abort. Does it get M, it will spawn a shell
I guess this answers your question
Re:203.62.158.32 (Score:2, Insightful)
Re:203.62.158.32 (Score:5, Interesting)
Cheers,
^Sarge^
Re:203.62.158.32 (Score:2, Insightful)
Re:203.62.158.32 (Score:3, Informative)
Take a look at www.linuxfromscratch.org to see how this works for an entire system.
Re:203.62.158.32 (Score:3, Informative)
Recompiling the compiler doesn't do anything to rid you of trojan code/back doors. If you need to ask why, take a look at "Reflections on Trusting Trust" by Ken Thompson [acm.org], and the description of a back door [tuxedo.org] in the jargon file.
The short story is, that the compiler decides what to output. So you have to trust your compiler.
The reason for the recompiling of gcc is something else entirely: It is to allow the source code of gcc to rely on gcc, and to allow an optimized compiler to be created.
For additional information consult a good book on compiler writing.
Rebuilding from source, and paranoia (Score:3, Informative)
http://www.acm.org/classics/sep95/
Step 2: Decide for yourself if you're ready for the tinfoil-helmet brigade.
Step 3: Type 'make world' if you dare.
Re:looks like it's from our australian friends (Score:2)
It's definitely going to be just another 0wn3d box like with the BitchX source ./configure trojan.
Re:looks like it's from our australian friends (Score:2)
--jquirke
Re:looks like it's from our australian friends (Score:2)
However, what you have just done is published the address of the 'victim', which is possibly what the original author of the trojan wanted.
Now Melbourne slashdotters who think like you will be paying a visit to this address, the next time I'm walking along Bourke I'll look out for any damage they may have caused.
--jquirke
Re:How to stop this happening again? (Score:2, Insightful)
Check MD5 sums
make -n
Unplug from the net and log all traffic while you compile, install and test. Check the log.
Don't unpack a tarball within 48 hours of its creation...let someone else find the problems.
Be one of the "many eyes" and actually learn some of the source code.
Re:How to stop this happening again? (Score:2)
How about LIDS [lids.org]? LIDS lets you set r/w perms on files and directories and restrict actions that all users, even root, can perform. With a tight LIDS setup, root isn't even root. A simple example is setting
That's pretty tight.
Re:How to stop this happening again? (Score:2, Interesting)
First, open source project teams should try their best to make sure that their distribution points are secure. I know that no one intentionally distributes code from known-bad servers, but rather than just assuming security in the absence of knowledge to the contrary, I think they should make the security of their servers more of an active part of their project.
Second, they should register PGP keys with the key servers. Popular projects could even sign each other's keys, creating an informal web of trust. For example, the FreeBSD, OpenSSL and OpenSSH teams could maybe sign each others keys. This would help users make sure they don't download false keys from the servers.
Project teams should keep their private keys on read-only media (like a CD-R), and only 2 or 3 trusted members should be allowed to sign distributions. Really large projects could even do key splitting, so that (for example) 3 out of 5 developers are required in order to sign a release.
Of course, the project files should have detached signatures available in the same place that the distribution is. If it's FTP, put the detached signature in the same directory as the tarball. A lot of projects already do this. A pointer to the signature should be included in the project. Preferably, this should be in a standard file, like the $PROJECTROOT/SIGNATURE file, to make it easy to find.
If all these suggestions (or something like them) were followed, then someone who downloaded a package could use an automated tool to check the signature in one easy step. It is almost axiomatic that convenient security procedures get followed far more often than inconvenient ones, so I think automation is an important consideration here. It would add only one easy step, transmuting
configure && make && make install
to
checksig && configure && make && install
Re:what's up with OpenBSD? (Score:2, Interesting)
OpenBSD is less of a fortress and more of a flexible defense. In this case, even though the integrity of the centralized source code was compromised, any end-user who accessed it via the ports tree was immediately tipped off that something wasn't kosher. They could then communicate this to other users and the maintainers of OpenBSD and thus make this attack known to the public within hours of it happening. And due to the ease of updating that the ports tree provides, the maintainers of OpenBSD can correct this problem very quickly. This sort of suppleness provides for the best kind of broadband defense, whereas a "fortress" cannot brook much weakness in any of its parts and is far more brittle. Had users not been able to see the disparity (via MD5 sums), or not been able to communicate it to their fellow users, or not have been able to easily obtain a clean copy, then the problem may have been easily transmitted to a large number of operating OpenBSD machines. As it was, the problem got nipped at the bud.
This event would be the sort of reason why security-conscious people should stick with OpenBSD.
Re:what's up with OpenBSD? (Score:2)
This is the second problem with OpenSSH in a few months, and OpenSSL was exploited just a few days ago
a) OpenSSL != OpenSSH
b) OpenBSD and OpenSSH both still have excellent track records compared to your average Linux[0] distribution.
c) If OpenSSH is really that much of a hole, write something better
[0] This is not a troll, it's reality. However being slashdot I'm sure to take a few karma hits for daring to speak like this..
Re:what's up with OpenBSD? (Score:2)
The OpenBSD version (the refrence version) of SSH is unaffected by this trojan.
Re:Another reason.. (Score:2)
It's funny cause I actually saw this appear on NANOG first.
SealBeater
Re:Just a Thought to prevent this.. (Score:5, Funny)
Yes, I recommend having the installation banned from creating / deleting / running any files.
Re:j00 R 0wn3d lol (Score:2, Funny)
So you must not run XP, right? I know a guy who firewalls his XP box, not so much to keep others out, but to keep data in! He uses egress filters to stop unauthorized outgoing traffic. And, yes, XP tries to report back to Redmond.
This rogue code was caught within 6 hours. It would take at least 6 days for M$ to even admit that the trojan existed (that is, if they would admit to it at all). Micro$loths security record is hardly something to brag about. On the other hand, OpenBSD's record up til recently has been very impressive, to say the least.
Re:Why aren't people asking as to whom is doing th (Score:2)
DON'T DO THAT !!! (Score:2)
Re:Bad news and Good news (Score:5, Informative)
And it looks like they're not "eating their own dog food," and eating Sun dog food instead
did you ever think there might a reason [openbsd.org] for that?
then you can't trust a web server to give you a web page with an unaltered MD5 sum. Surely this is common sense?
I am not sure, but this just might be the reason why systems like BSD ports and Gentoo portage store the MD5 sums in the ports trees, and don't in fact get them from websites.
The real solution is digital signatures (i.e. an MD5 sum encrypted with a private key).
WOW! what an original and fresh solution! you sir, are some sort of genious for coming up with this.
congratulations, you've managed to regurgitate several of the things that have been said, literally, hundreds of times today already. I think the Society for Prevention of Cruelty to Dead Horses might have a bone to pick with you.