Trojan Added to TCP Wrappers Source on FTP 50
P.J. Hinton wrote in to
send us a link to a CERT advisory explaining that the sources
to TCP wrappers were actually replaced
with a nice new and improved version. Complete with a trojan.
It was caught fairly quickly after it was uploaded, but it's
still kinda scary. Update: 01/22 01:07 by CT :
Several people sent the Bugtraq post
over at Linux Today. A lot more details clarifying the situation.
I think Rob fixed First Post Syndrome (Score:1)
I haven't confirmed this, but it seems like Rob has put some code in to keep the first few posts from showing up in the order of submitting. I've posted several articles to stories that said something like 1 or 2 comments on the main page and still somehow got the first post. After a while, the other posts would show up (and no, they didn't have lower scores).
--
Jason Eric Pierce
Mettler's attack slightly different (Score:1)
Researching a different topic I came across an interesting CERT advisory [cert.org] regarding loadable kernel modules. One common response to Mettler was that any kernel hack would require recompiling the kernel, and restarting the system. With loadable modules, system restart isn't necessary -- the kernel can be modified in place, as it runs.
In all three instances, confirming source, object, or image against a trusted verion would help in detection. Kernel compromise is a frightening prospect as it undermines the trustworthyness of the entire system. Booting a fresh kernel, however, removes the damage (you then have to keep the rogue modules out).
You have, but... (Score:1)
Uhm, how did the trojan get there? (Score:1)
/bye
Bram at grmbl dot com
Paranoia - The Destroyer (Score:1)
Paranoia - The Destroyer (Score:1)
Not a big deal (Score:1)
Second, it *was* detected and corrected very rapidly.
All in all, a success story.
- Ken
A now-proven hypothesis for OSS (Score:1)
- Ken
A now-proven hypothesis for OSS (Score:1)
As far as I'm aware, this is the first incident where some deliberate foul play was detected and handled. Guess those wacky OSS advocates were right. =)
--
rickf@transpect.SPAM-B-GONE.net (remove the SPAM-B-GONE bit)
CERT (Score:1)
Now that I find disturbing :-)
Matthew.
Second tripwire (Score:1)
So the only Open-Source Trojan that will really succeed is one put in place by a conspiracy of EVERY single sysadmin worldwide... I'm not worried.
This message has been brought to you by the Sysadmin Conspiracy: There Is No Sysadmin Conspiracy (tinsc).
-----
I wonder... (Score:1)
To whom is the email sent?
Who first discovered the trojans?
Was it someonet that downloaded the code?
Was it one of the sysadmins scanning the logs?
Answers to some of these questions will tell.
Not scary at all. (Score:1)
The hack went in on the 21st. It's now the 22nd, barely.
This is scary? It took one day to detect and handle a security problem? Closed source products can have security issues for years and years before their existence becomes public knowledge. Took them a day.
Indeed, it is only when attacks become "open source" in a sense that they're cured.
Once you pull the pin, Mr. Grenade is no longer your friend.
Whodoneit? (Score:1)
I love it (Score:1)
we were warned (Score:1)
but i agree with Effugas: it's not that bad to have such a thing in open source software than in some closed source one; first one (open) can be handled for example by viewing source or choosing carefuly download site; but protect ourselves agains bugs/viruses/trojans distributed in closed source software is far more harder
encryption ... (Score:1)
if we have fine crypto system with keys exchange then every piece of software could be signed by author/packager/producer/... and we should be able to authenticate the person and then trust him or download software from someone else
our slogan should be: sign what you produce ... soon :)
(i will
we were warned, but... (Score:1)
You have, but... (Score:1)
There was MD5 sum for this package and there was detached PGP signature.
But how often you care to check signatures when you are downloading a package. And it seems that anything at all can contain trojans.
Read a nice article [acm.org] by Ken Thompson about trojan in C compilier. Have you checked MD5 sum when you downloaded GCC binary last time? And as Thompson shows, recompiling GCC from sources with untrusted compilier doesn't help you.
A now-proven hypothesis for OSS (Score:1)
Embrace And Extend??? (Score:1)
An Observation (Score:1)
$0.02
Don't be too eager to raid the FTP sites (Score:1)
Logic 101 (Score:1)
Why what you say might very well be true, it doesn't say anything about the previous person's statement. Most of the general population are also not skilled programmers.
He (I assume) was saying that cracking does not strongly correlate to programming skills, not that it correlates more or less than some other activity.
Most of the crackers I've talked to are what the BBS world used to call ruggies, or rugrats. About 1-5% of them may, someday, grow up to be skilled programmers. Most people with the knowledge to develop new cracking techniques are also grown up enough not to use it.
Morale: don't rush for new src releases/betas???? (Score:1)
This trojan horse was not inserted by the authors of the package. Instead, it was inserted by someone that broke into the ftp site. This would be the same as breaking into MS web site and uploading a patch infected with a trojan horse. Waiting x amount of time has nothing to do with this.
"1. PGP key can be successfully forged."
??? PLEASE...who are you kidding. Do you know anything about cryptography. Forging a PGP sig is so unlikely that it would be more feasable for the offenter to physicaly force you to hand over your private key.
"FormatDriveC("bye");"
Go away troll - Linux/Unix does not use drive letters.
"How many of you review low level assembler routies present in Linux?"
_WHY_ would I do this?? Obviously you are from the MS world of closed source where you do not have access to the source code.
How did it happen? (Score:1)
How the hell did it happen to begin with? CERT is always so coy about *that*.
Dropping this into tcpd is like tugging on Superman's cape. Someone is gonna get serious props from the kiddieZ for this one.
--------
we were warned, but... (Score:1)
Either that, or it's a conspiracy