• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

OpenSSH Trojan Horse Vulnerability

Reportedly, the server hosting openssh, ftp.openbsd.org, was compromised recently. It has been reported that the intruder made modifications to the source code of openssh to include trojan horse code. Downloads of the openssh source code from ftp.openbsd.org between July 30, 2002 and July 31, 2002 likely contain the trojan code.

The trojan code appears to be included in the file, bf-test.c. Reports say that the trojan will run once upon compilation of openssh. The trojan process is named 'sh' or the compiling user's default shell. Once executed the trojan attempts to connect to 203.62.158.32 on port 6667. The trojan will then wait for one of three commands.

The following sites also have been reported to carry the trojaned version of openssh-3.4p1.tar.gz:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/
ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/
ftp://ftp1.se.openbsd.org/pub/OpenBSD/OpenSSH/

It is not known whether other sites are affected as well.

*** The OpenSSH team has released an advisory. Fixed versions of openssh are available for download since 1300 UTC August 1, 2002. The following MD5 checksum information was provided for fixed versions of openssh:

MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
MD5 (openssh-3.4p1.tar.gz.sig) = d5a956263287e7fd261528bb1962f24c
MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2
MD5 (openssh-3.2.2p1.tar.gz) = 9d3e1e31e8d6cdbfa3036cb183aa4a01
MD5 (openssh-3.2.2p1.tar.gz.sig) = be4f9ed8da1735efd770dc8fa2bb808a