Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » OpenSSH Trojan Horse Vulnerability

OpenSSH Trojan Horse Vulnerability

by Nikola Strahija on August 5th, 2002 Reportedly, the server hosting openssh, ftp.openbsd.org, was compromised recently. It has been reported that the intruder made modifications to the source code of openssh to include trojan horse code. Downloads of the openssh source code from ftp.openbsd.org between July 30, 2002 and July 31, 2002 likely contain the trojan code.


The trojan code appears to be included in the file, bf-test.c. Reports say that the trojan will run once upon compilation of openssh. The trojan process is named 'sh' or the compiling user's default shell. Once executed the trojan attempts to connect to 203.62.158.32 on port 6667. The trojan will then wait for one of three commands.

The following sites also have been reported to carry the trojaned version of openssh-3.4p1.tar.gz:
ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/
ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/
ftp://ftp1.se.openbsd.org/pub/OpenBSD/OpenSSH/

It is not known whether other sites are affected as well.

*** The OpenSSH team has released an advisory. Fixed versions of openssh are available for download since 1300 UTC August 1, 2002. The following MD5 checksum information was provided for fixed versions of openssh:

MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
MD5 (openssh-3.4p1.tar.gz.sig) = d5a956263287e7fd261528bb1962f24c
MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2
MD5 (openssh-3.2.2p1.tar.gz) = 9d3e1e31e8d6cdbfa3036cb183aa4a01
MD5 (openssh-3.2.2p1.tar.gz.sig) = be4f9ed8da1735efd770dc8fa2bb808a

Remote: Yes


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »