Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Trojan Found in libpcap and tcpdump

michael posted more than 11 years ago | from the when-your-packet-sniffer-won't dept.

Security 486

msolnik writes "Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here or here."

cancel ×

486 comments

Sorry! There are no comments related to the filter you selected.

Trojan Found in libpcap and tcpdump!? (0)

Anonymous Coward | more than 11 years ago | (#4658396)

What!? I didn't even know they were dating!

Re:Trojan Found in libpcap and tcpdump!? (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4658550)

LOL mad propz

FP (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4658401)

FP

YOU FAIL IT! (-1, Troll)

YOU FAIL IT! (624257) | more than 11 years ago | (#4658430)

Thats right, you have FAILED again. Worse, you were DEFEATED by an on topic post! Perhaps you should just give up and end this FAILURE of a life now.

This is bad for Microsoft... (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4658414)

... but great for Open Source.

Hey, Slashdot, (3, Funny)

gazbo (517111) | more than 11 years ago | (#4658561)

I was just wondering how long these sources have been available with these many eyes making bugs shallow and so forth? I'm assuming it's less than 1 hour, because as I keep being told, everyone in the open source community checks all source code thoroughly before installing it, which is something that can't be done with closed source.

Glad I use Gentoo (4, Informative)

rob-fu (564277) | more than 11 years ago | (#4658415)

Emerge doesn't get tcpdump source from tcpdump.org, but from ibiblio.org.

How did it get into tcpdump.org's sources exactly? The HLUG page isn't clear.

Re:Glad I use Gentoo (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4658485)

LOL - and where might ibiblio get them from? Fucktard.

Re:Glad I use Gentoo (0)

Anonymous Coward | more than 11 years ago | (#4658505)

read the page:

Good sources:
http://www.ibiblio.org/pub/Linux/distributions/gen too/distfiles/libpcap-0.7.1.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gen too/distfiles/tcpdump-3.6.2.tar.gz
http://www.ibiblio.org/pub/Linux/distributions/gen too/distfiles/tcpdump-3.7.1.tar.gz

Re:Glad I use Gentoo (-1, Flamebait)

Anonymous Coward | more than 11 years ago | (#4658589)

Mmmmm. Gentoo, mmmmmm gentoo r0x0r5 so much i'm wanking right now... mmm love it, gentoo is sooo fucking cool, like the best parts of BSD (the licence? no, 'fraid not) and the worst parts of linux (the licence? 'fraid so.) What is it with you Gentoo 'tards? RH not unstable enough for you? LFS too hard? Oh, yes I forgot, you all have Athlon 2200+ that you use for surfing the web, so obviously you have spare cycles for rebuilding your distro every fucking week. Fucking dumbass source distro if ever there was one - a good job daddy bought you all those CPU cycles in exchange for blowjobs and tight anal sex, isn't it?

Re:Glad I use Gentoo (0)

Anonymous Coward | more than 11 years ago | (#4658630)

gentoo is good times.

Re:Glad I use Gentoo (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4658665)

I guess you're talking about the blowjobs and the tight anal sex.

Re:Glad I use Gentoo (5, Interesting)

dohcvtec (461026) | more than 11 years ago | (#4658602)

How did it get into tcpdump.org's sources exactly?
Presumably the tcpdump.org FTP server got 0wned, and the trojan was planted, but the people that found the trojan aren't the server admins - they just found it in the source they downloaded. And I doubt we will find out how the perpetrators got in, either. It would have been nice to find out in more detail what happened when the OpenBSD FTP server was compromised, but people are usually tight-lipped in these cases.

Re:Glad I use Gentoo (-1)

Anonymous Coward | more than 11 years ago | (#4658686)

...and where do you think ibiblio.org get their sources from?

Re:Glad I use Gentoo (0)

Anonymous Coward | more than 11 years ago | (#4658700)

read [slashdot.org]

prison (-1, Flamebait)

HBI (604924) | more than 11 years ago | (#4658422)

One of the flaws of open source in our current legal environment is that it appears to not matter much the ill intent of authors of such malevolent code. If there is no money involved, they get away with it.

I'd personally like to see them getting ass raped in a federal prison or the equivalent institution in a non-US locale. I'll keep dreaming.

Re:prison (-1, Offtopic)

l33t j03 (222209) | more than 11 years ago | (#4658445)

Ok then, you keep having your ass rape dreams. Be sure to use bleach when you wash the sheets.

Re:prison (2, Insightful)

outofpaper (189404) | more than 11 years ago | (#4658584)

While it is true that:

our current legal environment is that it appears to not matter much the ill intent of authors of such malevolent code


It is also true that only because this is an open sorce project was such code found. People seem to forget that there is no realy eficient way of checking closed software for sevurity holes. Ontop of that companies are more than likly to place back doors in programs as actual features that are not mentioned in documentation, or only glazed over. My exaple for this was in a Busines programe that I wourk with had the "option for you to enter a code into one of the text fields if you set the computers date to a specific date and then you would be able to edit all records, thus by pasing the simple code that it uses. I fould out about the feature when the was a problem with some of the records and since the files are encoed I wasn't going to search through them in any easy way so I cantacted the programes distributor and they told me of this feature. Just think how meany othe progs out there have stuff like that.

as soon as this evening... (2)

mirko (198274) | more than 11 years ago | (#4658423)

apt-get update...
well, I have not installed these sniffing proggies, so it should be okay.
Now it could be worse :
If you suspect your binaries to be trjanized, you'd want to sniff your own machine but if (and it is the case) the sniffer is trojanized, then it could possible hide such "activities"...
I actually read the article and it however seems that it was not the case here...
phew :-)

Hrmm (2, Funny)

Anonymous Coward | more than 11 years ago | (#4658425)

Who would have thought that TCPDUMP would have crap like that in it?

Eventually, this would happen (5, Insightful)

Rotten (8785) | more than 11 years ago | (#4658426)

And if I don't remember, this happened befrore. Of course this is one of the biggest strenghts of the Open Source Model.
Code is constantly audited, checked and corrected. If your closed source software has backdoors or trojans...well....who knows but on Open Source is easyly detected.

Re:Eventually, this would happen (1)

rekulator (582156) | more than 11 years ago | (#4658541)

Yeah, it's pretty much fine. But then again if the source is not available it makes 3rd party backdoors etc. pretty much harder to create, don't you think?

Of course this doesn't apply to the backdoors which are inserted by the creator of the closed source app.

Re:Eventually, this would happen (0, Informative)

Anonymous Coward | more than 11 years ago | (#4658556)

If your closed source software has backdoors or trojans...well....who knows

closed src doesn't have its src on some webserver for some kiddie to trojan in the first place. sure the possibility of some employee or the employer itself to trojan the src, but most open source trojans are someone breaking into the web server and uploading modified src. by definition this wont happen with closed src since closed src doesn't release src, so your argument is irrelevant.

Re:Eventually, this would happen (2, Interesting)

Rotten (8785) | more than 11 years ago | (#4658615)

Personally I've seen many backdoors in closes source software, even more, as a programmer years ago, I was instructed to put backdoors on Banking software by my employer and the bank auditing team. And let me tell you that the security was so bad that I personally switched my bank account from that institution to another.
I don't think the only irrelevant comment is thinking that bad things(r) happens only in one place. Like I said, on open source software, I Can Audit Myself The Code.

Re:Eventually, this would happen (2)

shatfield (199969) | more than 11 years ago | (#4658682)

Some "kiddie" most likely did not do this.

Perhaps this is the work of an international ring of expert black hat hackers who are doing this in order to build up their network of computers that are available as jumping points for future hacking?

I'm not worried about "kiddies" in the closed source world, but about the incredibly devious companies that produce programs. Don't think for a second that Microsoft hasn't put back doored software onto your computer.. that's already been documented [fuckmicrosoft.com] .

Re:Eventually, this would happen (5, Informative)

khendron (225184) | more than 11 years ago | (#4658558)

Easily detected? I wonder about this. If you look at the date stamp on the trojaned configure script, it is December 10th, 2001.

Does that mean that this trojan has been around for almost a year before anybody noticed? If that's true, it does not meet my definition of "easily detected".

Re:Eventually, this would happen (4, Insightful)

Rotten (8785) | more than 11 years ago | (#4658628)

Of course you have never disected a rootkited server. Nobody trust the date stamps, not even my grandmother does it.

Have you ever changed the date of a file? It's quite easy.

Re:Eventually, this would happen (0)

Anonymous Coward | more than 11 years ago | (#4658572)

"If your closed source software has backdoors or trojans...well....who knows but on Open Source is easyly detected."

Maybe the thousands of testers and code auditers hired at each bigger software company? Microsoft has about 1700 testers and auditers looking at XP alone, I don't know the total for all their products but it's a lot of people.

If it's open source anyone can claim to be anyone they want to and check in trojans or viruses without anyone really having any control over it.

Re:Eventually, this would happen (2, Insightful)

Rotten (8785) | more than 11 years ago | (#4658669)

Please, I just replyed to two other "MAYBE" Posts. Talk about facts:

The same that applies to somebody breaking into a open source code repository applies to a closed source repository.

If the trojaned code is inserted after the aditing and goes into a production/distribution state, then the consumer/user has NO WAYS to detect the problem.

You are talking about the same Microsoft that wants to take to court independant researchers that detect security flaws in MS products?

Or the same Microsoft that hides security problems on their products?

And...Have you ever used CVS?

Re:Eventually, this would happen (2, Interesting)

Anonymous Coward | more than 11 years ago | (#4658667)

This argument can of course be reversed: Because sources are open, one can insert trojans.

So there's no point mentioning it.

The point is: When was the specific change added? By whom? The maintainer should know. Let us know. Then put the person who sent in the patch with the trojan in a black list so his/her future patches to open source programs are first severely checked, if accepted at all.

That's more like it -I think-.

Re:Eventually, this would happen (1)

Rotten (8785) | more than 11 years ago | (#4658687)

I think nobody included this patch oficially, even a student can detect something fishy in those lines.

Obviously the code slipped without the code maintainers knowledge, possibly someone found a way to circumvent security policies.

Seems (2, Informative)

jamesjw (213986) | more than 11 years ago | (#4658427)


Seems now more than ever the need to check the authenticity of your sources before installing.

As if security auditing wasnt a big enough headache already :(

Re:Seems (-1, Flamebait)

l33t j03 (222209) | more than 11 years ago | (#4658502)

You stupid fucking bastard, the source was the author, how the fuck more authentic can you get?

It seems to me that it is now more important than ever to buy a Microsoft [microsoft.com] product so your don't fall prey to wicked hackers because the 16 year old pizza delivery boy who wrote the software that blits rectangles to your screen was running a compromised version of glibc that allowed a 25 year old pedophile from Pakistan to insert a trojan in said rectangle blitting program.

Just buy it from Microsoft [microsoft.com] . A) They have a vested interest is selling you good software. B) You won't end up with 5000 little screwball codelets each designed to perform some miniscule function, that are impossible for you to actually audit because you don't have enough time, even if you gave up anime AND skipped the Harry Potter premiere.

Re:Seems (2, Redundant)

Marx_Mrvelous (532372) | more than 11 years ago | (#4658593)

You mean you don't check the checksum before you install software now? There's a reason that they provide the md5 for the compressed code!

Re:Seems (5, Insightful)

paranoos (612285) | more than 11 years ago | (#4658664)

If some malicious coder could upload manipulated software, do you not think they could also spoof the MD5 sum also? From what I've seen, the checksum is usually just stored in a text file in the same directory.

Re:Seems (2, Insightful)

fitten (521191) | more than 11 years ago | (#4658677)

md5sum doesn't guarantee anything other than saying that the version you downloaded was the one that the author/host put out there for you to download (and not someone else's). If the author/host put a trojan in it, the md5sum will be for the trojan'd software.

In the end, it still comes down to whether or not you (can) trust the author/host.

Re:Seems (1)

phil reed (626) | more than 11 years ago | (#4658685)

Wasn't the published MD5 changed to match the trojaned code? I believe that's what happened in the earlier case.

Re:Seems (1)

jamesjw (213986) | more than 11 years ago | (#4658659)


I am very careful, and trustign code from the authors/primary distribution site has in recent times (e.g. in the case of Sendmail 8.12.6)
prooven that you cant trust the distribution point, you need to check that the version thats there is the version the authors inteded to send out (MD5 checksums are the widest accepted way of doign this)

But a bit more security around the fileservers and webservers where these files are distribtued from would never go astray.

This is dreadful (-1, Insightful)

The_Jazzman (45650) | more than 11 years ago | (#4658433)

I run a successful London-based dot com (yes, they do exist :) and we've been having to run around like headless chickens all day because of this.

Is it really too much trouble to do an MD4?

It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this.

Re:This is dreadful (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4658475)

"It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this. "

Doesn't the money come from the money you`ve saved by not having to pay for any software? What did your business plan mention about this? Just a blank page, right? Try it out and see what happens? Well, it's your money!

That's not a problem, that's a feature (2, Insightful)

Anonymous Coward | more than 11 years ago | (#4658491)

there's no-one to pay me to pay my staff for the lost man-hours caused by this.
But then again, you had to pay no-one for the man hours you saved by using the open-source code.

Re:This is dreadful (2, Informative)

vadim_t (324782) | more than 11 years ago | (#4658512)

Excuse me if I sound disrespectful, but that makes me really doubt your skills. MD4? First, usually what's used is MD5, second it's just a hash and doesn't ensure the file hasn't been tampered with. All you need is to run md5sum on the patched file.

Now, good GPG signatures would have helped.

Re:This is dreadful (1, Insightful)

Anonymous Coward | more than 11 years ago | (#4658607)

"Good" being the operative keyword.

It would be best not to download the author's public key from the same place you get the source, or else you might as well be fucked. "Gee! It checks out alright, it must have come from my vendor!" Not necessarily.

Re:This is dreadful (0)

Anonymous Coward | more than 11 years ago | (#4658530)

"there's no-one to pay me to pay my staff for the lost man-hours caused by this."

I'm still expecting my check from MicroSoft for my lost man hours.

NO CARRIER

Re:This is dreadful (-1)

Anonymous Coward | more than 11 years ago | (#4658534)

Dude, how the fuck do you run a succesfull dot com?

Is it really too much trouble to do an MD4?
I don't know. An MD5 with my eyes closed, but an MD4?

Re:This is dreadful (0)

Anonymous Coward | more than 11 years ago | (#4658681)

MD4, MD5 - whatever it takes.

(With apologies to Michael Keaton)

Re:This is dreadful (5, Insightful)

jimand (517224) | more than 11 years ago | (#4658539)

there's no-one to pay me to pay my staff for the lost man-hours caused by this

Did Microsoft pay you for lost man-hours when your staff battled Nimda or Code Red? Didn't think so.

Re:This is dreadful (4, Funny)

phaze3000 (204500) | more than 11 years ago | (#4658648)

It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this.

I couldn't agree more, if those cheap-arsed hippies who write Linux would only pay up when there's a problem with their software like reputable commercial companies like Micros.. err, Oracl.. err actually, forget it.

Re:This is dreadful (2)

Erik Hollensbe (808) | more than 11 years ago | (#4658695)

It's the one problem with the open-source community - there's no-one to pay me to pay my staff for the lost man-hours caused by this.

Do you expect sun or microsoft to pay you, either?

well... (0)

Anonymous Coward | more than 11 years ago | (#4658436)

not really a good show for open source...

I mean, I love open source code, but does it seem that it is more suscepticable to trojans being planted? I mean, any tom dick and harry can release code, and it may not be checked for things like this.

How about setting up an independent body of volunteers, who go through commonly used programs, and check for this sort of thing. Than they can issue some kind of certification or "stamp of approval" on that particular release. That way, a user can atleast tell that some basic source code scrutiny was done...

Any comments welcome...

Re:well... (1)

EzInKy (115248) | more than 11 years ago | (#4658646)

Doesn't the HLUG, who were in fact scrutinizing the code when they discovered the trojan qualify as an independent body of volunteers in your book?

Hmmm (0)

Anonymous Coward | more than 11 years ago | (#4658440)

So if you're like me, and you don't actually use the source code (just precompiled versions) then you've got no problem, right?

Re:Hmmm (-1, Troll)

Anonymous Coward | more than 11 years ago | (#4658472)

Stop! YOUR COMPUTER is BROADCASTING an IP address

mirrors for a just in case (1, Informative)

Anonymous Coward | more than 11 years ago | (#4658449)

mirror 1 in italy [def-con.org] mirror 2 in poland [bmtmc.gda.pl]
blah blah blah... just don't feel like fscker dying all by itself. yadda yadda yadda, beowulf cluster hootie hoo, slashdot should cache unfta unf, I need head

This Trojan thing... (2, Interesting)

Big Mark (575945) | more than 11 years ago | (#4658450)

It's not unusual at all in the Unix world. Pete's sake, K. Ritchie (he who invented Unix and C, or at least part of the team) put trojans into early versions of cc and login so that he could get accsess to _any_ unix system.

It worked with the trojaned compiler making bent versions of the login program. You couldn't detect it as if you compiled another version of cc or login from clean source the bent cc would infect that one and the cycle of infection continued. Very cleverly done.

Actually, for all you know maybe every version of gcc ever allows RMS and Torvalds into your box...

K. Ritchie, who's that then? (1)

plugger (450839) | more than 11 years ago | (#4658499)

K. Ritchie? Are you getting confused by the K&R book? It's D. Ritchie, if memory serves.

Re:This Trojan thing... (5, Informative)

JamesO (56897) | more than 11 years ago | (#4658511)

Its Denis Ritchie

And he only might have done it (can you tell?)

See http://www.acm.org/classics/sep95/ [acm.org] for more details

Re:This Trojan thing... (0)

Anonymous Coward | more than 11 years ago | (#4658520)

I've never read anything indicating that he actually did this. However, I've read a talk he gave where he described just such a problem.

Re:This Trojan thing... (0)

Anonymous Coward | more than 11 years ago | (#4658641)

Actually, it's D. Ritchie. I'm assuming the K. you mention is in reference to Brian Kernighan (sp?). He and Dennis Ritchie were the two who wrote the famed C reference book, and generally the Unix team is considered to be the two of them and Ken Thompson for the most part.

Ewww (2, Funny)

segfault7375 (135849) | more than 11 years ago | (#4658461)


Trojan Found in libpcap and tcpdump

I swear, some of these source trees are worse than the canals of Venice. :)

MD5 checksums (4, Insightful)

Zayin (91850) | more than 11 years ago | (#4658464)

Use them.

Re:MD5 checksums (5, Insightful)

diamondc (241058) | more than 11 years ago | (#4658521)

if someone breaks into an ftp server, they might as well replace the md5 signatures, too. a better solution would be signing the sources with a gpg key.

Re:MD5 checksums (2, Interesting)

AccUser (191555) | more than 11 years ago | (#4658576)

That's good if you can assure that the MD5 checksum is for the original tarball. What if the guy who placed the torjan placed a new MD5 checksum as well?

Re:MD5 checksums (0)

Anonymous Coward | more than 11 years ago | (#4658592)

Use PGP signatures.

Re:MD5 checksums (1)

AccUser (191555) | more than 11 years ago | (#4658635)

Take a look at tcpdump.org [tcpdump.org] . There are no MD5 checksums for any of the tarballs. Doesn't change my last comment, though. :-)

Re:MD5 checksums (0)

Anonymous Coward | more than 11 years ago | (#4658639)

Okay.

# md5sum /usr/sbin/tcpdump
0a1c85e1c9f3a4b230162f632b9af22a /usr/sbin/tcpdump
# md5sum /lib/libcap.so.*
c3d060dacea53e52da8a5a37820073ef /lib/libcap.so.1
c3d060dacea53e52da8a5a37820073ef /lib/libcap.so.1.10

Knock yourself out.

mars.raketti.net (3, Interesting)

solostring (620535) | more than 11 years ago | (#4658465)

The program connects to 212.146.0.34 (mars.raketti.net) on port 1963

With that information, I suppose that it is easy to find out which Finnish 'author' included the trojan, and would be simple to track him down. But my question is how something like this could have been included in an open source code and released to the general public?

Re:mars.raketti.net (2)

Draoi (99421) | more than 11 years ago | (#4658568)

Chances are, it's some other hapless admin's r00ted box .....

Re:mars.raketti.net (1, Funny)

Anonymous Coward | more than 11 years ago | (#4658595)

Easy. Same way it happens to OpenSSH, and the OpenBSD kernel (you know that current revisions of OpenBSD are trojaned all to hell, dont you?)... First you come up with the "killer exploit" this is known in our little community as "0day"... THEN, you exploit the tome of information,, be it openbsd.org, kernel.org, tcpdump.org etc.. and insert your code. You can prepare days in advance with your new version, so really, breaking the box is the only real hard part..

1. wget http://www.foo.com/useful-app.tar.gz

2. tar -xzf useful-app.tar.gz

3. vi something.c

4. tar -cf useful-app.tar.gz useful-app/

5. md5sum useful-app.tar.gz > useful-app.md5

6. ./hax0r-the-hell-out-of www.foo.com

7. scp ~/useful-app.tar.gz
www.foo.com/useful-app.tar.gz

8. scp ~/useful-app.md5 www.foo.com/useful-app.md5

9. vi /var/log/syslog

10. ????

11. pr0fit.

or if you are openbsd, you bribe a developer for their commit access.. or you break the developers
box..

isn't hacking for world domination fun?

This is a growing trend (2, Interesting)

Anonymous Coward | more than 11 years ago | (#4658476)

This never used to happen. Now it is like as if someone is intentionally trying their luck to trojan open-source projects. The crack0r types usually try to claim some kind of responsibility to increase their m0j0, but I haven't heard of anyone doing so. Usually a crack0r will try to make the trojaning *bad* to further make themselves feel better, but these trojanings are often in name only, and are of no real security threat. I am wondering if this is an anti-freesoftware publicity ploy by some individual or group.

Good - nowcatching up with Microsoft.. (0)

jkrise (535370) | more than 11 years ago | (#4658477)

What good having 'pure' source code minus viruses, worms and trojans? MS showed the way with some Korean CDs infested with bugs. Can penguins be far behind?

what about winpcap? (0)

Anonymous Coward | more than 11 years ago | (#4658504)

what about winpcap?

Siltakoski Petri is somehow connected with this... (0, Interesting)

twoslice (457793) | more than 11 years ago | (#4658514)

Either that or someone has trojaned (is that a word?) his site!

The tojan contacts the following website:

http://mars.raketti.net/~mash/services

DNS Details:

Registrant:
Kuopion Puhelin Oyj (RAKETTI2-DOM)
KUOPIO, 70780
KUOPIO,70780
FI

Domain Name: RAKETTI.NET

Administrative Contact, Technical Contact:
Siltakoski Petri (SP730-ORG) admin@DOMAIN.RAKETTI.NET
Kuopion Puhelin Oyj
Levasentie 23
KUOPIO
FINLAND
+358-17-302329
Fax- +358-17-3614904

Record expires on 07-Oct-2004.
Record created on 08-Oct-1998.
Database last updated on 13-Nov-2002 08:36:01 EST.

Domain servers in listed order:

NS1.RAKETTI.NET 212.146.0.10
NS2.RAKETTI.NET 212.146.0.11

Re:Siltakoski Petri is somehow connected with this (3, Informative)

rekulator (582156) | more than 11 years ago | (#4658594)

Yeah! Let's nail his ass! ..
Oh wait, perhaps he's just the tech guy working for the company which registered the domain "raketti.net", Kuopion Puhelin. It's a telecom and net operator after all.

Re:Siltakoski Petri is somehow connected with this (0)

Anonymous Coward | more than 11 years ago | (#4658608)

This is a local ISP, a telephone company.

Don't jump to conclusions (5, Insightful)

astrashe (7452) | more than 11 years ago | (#4658610)

The good blackhats have lots of compromised machines at their disposal, and are generally way too clever to leave such an obvious clue behind.

It's possible that this guy has something to do with it, but it's more likely that his machine is owned by the same person who managed to put the trojan out there.

Re:Siltakoski Petri is somehow connected with this (4, Informative)

Masa (74401) | more than 11 years ago | (#4658642)

Siltakoski Petri is somehow connected with this

Yes and no. The information you have successfully received from the Whois database is pointing to the phone company in Finland, which happens to be a host for raketti.net domain. Petri Siltakoski is just an administrative contact of the ISP (Raketti.Net). He has nothing to do with the web page set up by an individual who seems to have an account in this ISP.

Re:Siltakoski Petri is somehow connected with this (2)

dohcvtec (461026) | more than 11 years ago | (#4658651)

Siltakoski Petri is apparently just the guy who registered that domain. It could be that a user from that domain is involved or, as you said, that server has been r00ted. Funny, though, http://mars.raketti.net/~mash/services is nothing but a FreeBSD /etc/services file.

Security getting worse? (2)

Noryungi (70322) | more than 11 years ago | (#4658519)

... or are script kiddies getting better?

Seriously, though, I think the ideal solution would be to do multiple checks of the RC5 signature of newest packages, over several mirrors. The advisory mentioned that tcpdump.org was compromised, while the mirror at ibiblio.org was OK.

Or use Gentoo Linux. Of course. I can't do that, since I don't have broadband at home... =(

One too many? (4, Insightful)

simpleguy (5686) | more than 11 years ago | (#4658522)

Isn't this one too many?

There was dsniff, BitchX, OpenSSH etc. and today tcpdump and libpcap?

Does anyone else think that someone has found a security hole in a popular unix daemon and is having some fun with it before notifying the authors. Or maybe there is a *VERY NASTY* exploit circulating privately?

At least that's what I think.

Re:One too many? (0)

Anonymous Coward | more than 11 years ago | (#4658557)

I thought this was common knowledge of the hacking community. Often exploits are found before IT professionals cuz they're busy dealing with project deadlines. Which is why the old line about disclosure is total BS. In many cases, the vulnerabilities were known in the hacker community before it appeared in some news article.

Re:One too many? (0)

molli123 (517528) | more than 11 years ago | (#4658569)

Wasn't there a trojan in sendmail, too ?

Micha !

Re:One too many? (5, Insightful)

LostCluster (625375) | more than 11 years ago | (#4658622)

As Linux becomes more popular, the dumber system admins who never patched their Windows systems now have Linux systems. All it takes is a small handful of people to not know there is a wide-open back door, or worse yet know but be too lazy to take the corrective action, and there's enough zombies to cause headaches.

Re:One too many? (0)

molli123 (517528) | more than 11 years ago | (#4658689)

Do you fully read the sourcecode downloaded before compiling and installing ? I dont think this is because of dumb sysadmins, but because of the masses of code written, so noone can check everything he is really installing. Micha !

If it's in the repository, how hard... (0)

Anonymous Coward | more than 11 years ago | (#4658532)

...could it be to search the repository for the insertion date?

cleaning? (3)

mr. marbles (19251) | more than 11 years ago | (#4658545)

so seeing as how there's no trojan cleaning program in linux, how does a person infected with the trojan rid his system of it? is it as simple as installing the non-trojan version?

Er, I thought trojans were for preventing... (2, Funny)

quintessent (197518) | more than 11 years ago | (#4658618)

...wait...never mind.

Isn't a Trojan a kind of condom? (1)

EnlightenmentFan (617608) | more than 11 years ago | (#4658564)

Somebody's been messing around there, don't you think?

what about current (0)

Anonymous Coward | more than 11 years ago | (#4658578)

the pages say the latest release(7.1) is vulnerable on some mirrors, but no mention is made of the libpcap-current tarball available on tcpdump.org

Houston .. Bush .. Cheney... (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4658580)

Sounds like a Texas conspiracy here!

Microsoft must be financing this, time to look! (-1, Offtopic)

Anonymous Coward | more than 11 years ago | (#4658598)

Think about this for a moment.

There is only one beneficiery if a trojan is succesfully released in an Open Source project.. and it's Microsoft.

Also, people should pay attention to where they get an how they distribute thier source. It doesn't take much to generate an md5
checksum. Come on!
Just make sure you get your source from the source,
and check the source against your md5 checksum.
Not a big deal.

Why do I have a feeling (2)

Raul654 (453029) | more than 11 years ago | (#4658621)

...that this little incident will not be mentioned in the next edition of the Cathedral and the Baazar?

Gentoo users rejoice (1)

decarelbitter (559973) | more than 11 years ago | (#4658625)

Once again, Gentoo users wouldn't have had any problems, thanks to the wonderful portage system.

Re:Gentoo users rejoice (0)

Anonymous Coward | more than 11 years ago | (#4658637)

you're an idiot.

explain please? (0)

Anonymous Coward | more than 11 years ago | (#4658691)

I have just started using Gentoo and have not finished reading through the docs yet. As such, I am unaware of how this problem would be avoided using Portage. Now if you referring to rolling back, then I understand that...

So much for peer auditing? (1, Troll)

steve.m (80410) | more than 11 years ago | (#4658640)

The trojaned code has been around for almost a year, from the project homepage (where most people would go for the source), and nobody spotted it.

It highlights the fact that a sizeable part of the open source user base either can't read code, or don't want to.

Reply from a mirror site to HLUG and tcpdump.org (5, Informative)

Dogcow (7944) | more than 11 years ago | (#4658661)

This was just sent ~1 min ago:

To : msolnik@hlug.org
Cc : wt-changes@wiretapped.net,
tcpdump-workers@tcpdump.org,
mcr@sandelman.ottawa.on.ca
Subject : tcpdump.org mirrors
----- Message Text -----
Hi guys,

I run the main mirror of tcpdump at wiretapped.net (no relation to wiretapped.us) in Australia. We rsync from cvs.tcpdump.org, and have removed the entire tcpdump.org tree and disabled rsync updates until we hear from Michael Richardson at tcpdump.org.

You may like to add this info to your Updates area, as the unavailability of the main mirror site may seem suspicious. It is not, as described above.

Because wiretapped.net itself is mirrored to a few other sites, it may take between 1 hour and 24 hours for this removal (and any subsequent re-addition) to take effect. We'll note when it goes back online at http://www.wiretapped.net/changelog.html

Hope this assists in preventing any further spread,

Grant
www.wiretapped.net

Accountability (2, Interesting)

Mephie (582671) | more than 11 years ago | (#4658676)

I admit to not knowing a lot about open source development, not being a developer myself. But I'm curious, is there any sort of legal accoutability when someone intentionally codes a trojan in to a piece of software? Is it possible to keep track of who is writing what code? When trojans, etc, are discovered, are you limited to just patching them and going from there, or is it usually possible to find out who did it and therefore be suspect of future code?

trojan (0)

ciscoeng (411359) | more than 11 years ago | (#4658697)

Who says geeks don't have condoms?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?