Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Trojan Added to TCP Wrappers Source on FTP

CmdrTaco posted more than 15 years ago | from the this-ain't-so-cool dept.

Bug 50

P.J. Hinton wrote in to send us a link to a CERT advisory explaining that the sources to TCP wrappers were actually replaced with a nice new and improved version. Complete with a trojan. It was caught fairly quickly after it was uploaded, but it's still kinda scary. Update: 01/22 01:07 by CT : Several people sent the Bugtraq post over at Linux Today. A lot more details clarifying the situation.

cancel ×

50 comments

What a Wanker (0)

Anonymous Coward | more than 15 years ago | (#2035404)

Sounds like a real wanker thing to do.

First!!!! Nah Nah Nah (0)

Anonymous Coward | more than 15 years ago | (#2035405)

I'm the nerdy geek butt-head who was first today. Nayda Nady nah nah. Flame away!!! I'm a dork OK!

No Subject Given (0)

Anonymous Coward | more than 15 years ago | (#2035406)

This is just the reason why we need solid and unrestricted encryption software...

Not scary at all. (0)

Anonymous Coward | more than 15 years ago | (#2035407)

HAHAHAHAHA, I AM THE ONE WHO UPLOADED THE VIRUS, AND ITS ON YOUR SYSTEMS NOW TOO.

Do like the Chinese and (0)

Anonymous Coward | more than 15 years ago | (#2035408)

bring back the death sentence for hackers for acts of this nature.

First!!!! Nah Nah Nah (0)

Anonymous Coward | more than 15 years ago | (#2035409)

busted in front of all the slashdotters..

Warned in 1984 (0)

Anonymous Coward | more than 15 years ago | (#2035410)

Rather than just say were were warned a while ago, I'll put August 1984 as the date of publication. Is that long enough ago? Publicly available source has been susceptible to idiocy for a long time, and people have been saying that its being open also would allow detection. It was indeed detected, just as many bugs have been detected in public code. Now trace the server logs and bill the idiot.

Not scary at all. (0)

Anonymous Coward | more than 15 years ago | (#2035411)

you dont know if he call himself a hacker.... :)

msdos moron (0)

Anonymous Coward | more than 15 years ago | (#2035412)

no you are moron who think that virus is same
as trojan

Heh. (0)

Anonymous Coward | more than 15 years ago | (#2035413)

Great ideas. I'm a Brit myself, and we have all sort of things reserved especially for these people kept in the Tower of London. ;o)

MS Attack? (0)

Anonymous Coward | more than 15 years ago | (#2035414)

Could this be Micro$oft's first attack? Perhaps just a test? This is one of the few ways that OSS could be destroyed. If the programmers/developers spent all their time removing/fighting trojans, their would be no time to spend on improving or creating programs.
Wanted: Linux version of Mcafee and Trojan Condom.

A now-proven hypothesis for OSS (0)

Anonymous Coward | more than 15 years ago | (#2035415)

I recall WU-ftpd 2.3 was infested with a troyan.
They bumbed version to 2.4 after that.
This occurence is not the first, I am sure.

--P

Lessons Learned (0)

Anonymous Coward | more than 15 years ago | (#2035416)

Would this have ever been caught if the author did not sign his distributions? That seems to have been the only tripwire in place. And from what I have read, PGP signatures are not common.

But if the hacker chose his target a little more carefully, this trojan may never have been detected.

So the first step is to request all authors sign their work.

Is there anything else that can be done, to lay a second tripwire? I am image that if one lock is good, two are better. But I don't know what other measures can be taken.

Not proof at all (0)

Anonymous Coward | more than 15 years ago | (#2035417)


So maybe they got one. Whose to say that there arent thousands or more? Maybe even YOU are running a daemon with a backdoor. How would you know? You dont examine every part of the source.

Of course, you can assume if you got it from a reputable download site then the source has been checked by someone.

Trolling fsckhead (0)

Anonymous Coward | more than 15 years ago | (#2035418)

HAHAHAHAHA, I AM THE ONE WHO UPLOADED THE VIRUS, AND ITS ON YOUR SYSTEMS NOW TOO.

"Oh no! I've got a virus! My poor computer is going to burst into flames even as I type this!"*SHRIEK*

Get real. Slashdot has got to be the worst place to try to spoof someone like this. (Great haven for trolls, though...)

1) It's not a virus, it's a Trojan Horse. Not the same thing.
2) This is _source_code_ right? Code that was corrected and replaced within less than a day? How many people have downloaded that cource, incorporated that code into something usable, compiled it, and are executing it right at this moment? Maybe a couple of dozen?

(Granted, there is a slim chance there are people who have downloaded that code, are using it in their products, and have not yet seen the CERT advisory. But I doubt there will be any of that code in circulation within 48 hours.)

Jay (=
(No cookie still, and probably justifying yet another troll attempt in the future...)

Just wrong! (0)

Anonymous Coward | more than 15 years ago | (#2035419)

If this was a WinNT trojan again.. most of the people here would be asking where they could find this program.. But when it is unix it is just almighty bad!.. I think that is just wrong and stupid.

Sign more than once (0)

Anonymous Coward | more than 15 years ago | (#2035420)

Is there anything else that can be done, to lay a second tripwire? I am image that if one lock is good, two are better. But I don't know what other measures can be taken.

Multiple signatures, for one.

Have an interested third-party (maybe the FSF, or a new organization dedicated to this kind of validation for OSS products) who can authenticate the original signature as coming from the author and sign it themselves (putting the sealed envelope into another sealed envelope).

I think the evolution of open-source development will take such things into account. If sneaking Trojans into publically available source becomes more of an issue, then project leaders or coodinators will probably incorporate emcryption/authentication or checksums into distributed source or binaries.

The open source development model serves here, too; if a Linux vendor will not take the steps necessary to secure their product, then we have the choice of going to another one (or getting the code ourselves).

Jay (=

Morale: don't rush for new src releases/betas (0)

Anonymous Coward | more than 15 years ago | (#2035421)

Lets first someone test it for quite a while to save YOUR ass from trojans.

Although, just think if:

1. PGP key can be successfully forged.
2. Trojan will be implemented in a smart way,
not stupid visible: if(!strncmp(date,"Fri, 13",6))
FormatDriveC("bye");
AND in a piece of code which is not as often
review as TCP stack.

How many of you review low level assembler routies present in Linux? What if byte-codes
were used pretending to be a data?

The real trojans will come, be sure.
And this probably will enable some nifty worms.

keep thy eyes open.

heh (0)

Anonymous Coward | more than 15 years ago | (#2035422)

For all we know Windows instability could be one big hack put in by a disgruntled employee. :)

-Anonymous Loser

ANd the !@#$ hotmail account is still active (0)

Anonymous Coward | more than 15 years ago | (#2035423)

My annoyance is that the hotmail account that the list of compromised machines is being sent to is still active.

I emailed hotmail, asking them to turn it off. See that take three weeks.

- Sam Trenholme

Buffer overflow's (0)

Anonymous Coward | more than 15 years ago | (#2035424)

How do you know all them nasty buffer overflow's werent just secret backdoors? :) A lot of them were and are around and were and are being exploited...

Theres no reason to put the backdoor in plain site in the source. And even when found it could just be put down to not programming security consciously instead of direct malevolence.

Morale: don't rush for new src releases/betas (0)

Anonymous Coward | more than 15 years ago | (#2035425)

> How many of you review low level assembler
> routies present in Linux? What if byte-codes
> were used pretending to be a data?

Linux/ flavours of Unix are written in C, the whole C and nothing but the C. Why do you think C was developed? You must be a youngen.

AndyM

MS? Oh look, another AC fsckwit (0)

Anonymous Coward | more than 15 years ago | (#2035426)

If there is any testing to be done, it is on how you are still alive without a brain.

If MS wanted to make Linux look bad, or try to fsck up OSS there are much better ways of doing it.

Now run away and play with your popsicle sticks untill you get a clue.

I think Rob fixed First Post Syndrome (1)

Anonymous Coward | more than 15 years ago | (#2035427)


I haven't confirmed this, but it seems like Rob has put some code in to keep the first few posts from showing up in the order of submitting. I've posted several articles to stories that said something like 1 or 2 comments on the main page and still somehow got the first post. After a while, the other posts would show up (and no, they didn't have lower scores).

--
Jason Eric Pierce

Mettler's attack slightly different (1)

KMSelf (361) | more than 15 years ago | (#2035428)

Mettler's attack is a modification of your system by a trusted user, via source. It's slightly different from the TCP-Wrapers crack in that you presumably don't have extensive peer review over your own system.

Researching a different topic I came across an interesting CERT advisory [cert.org] regarding loadable kernel modules. One common response to Mettler was that any kernel hack would require recompiling the kernel, and restarting the system. With loadable modules, system restart isn't necessary -- the kernel can be modified in place, as it runs.

In all three instances, confirming source, object, or image against a trusted verion would help in detection. Kernel compromise is a frightening prospect as it undermines the trustworthyness of the entire system. Booting a fresh kernel, however, removes the damage (you then have to keep the rogue modules out).

You have, but... (1)

jandrese (485) | more than 15 years ago | (#2035429)

Well, FreeBSDers check the MD5 every time they use the ports system to install something. What's even better is that since the FreeBSDers all have their own copy of the MD5, simply changing it on the site won't help.

Uhm, how did the trojan get there? (1)

bram (490) | more than 15 years ago | (#2035430)

I think people found out quite fast, but how the hell did it get there in the first place? :)

/bye
Bram at grmbl dot com

Paranoia - The Destroyer (1)

Trepidity (597) | more than 15 years ago | (#2035431)

An 3l33t hax0r with an IQ about 100 higher than that of the average 3l33t hax0r, of course. Most 3l33t hax0rs I've seen around couldn't write a Hello World program, much less backdoor a tcp wrapper.

Paranoia - The Destroyer (1)

Trepidity (597) | more than 15 years ago | (#2035432)

I wasn't talking about intelligent people who crack systems recreationally. I was talking about "3l33t hax0rs," which yes, would imply people who "tYpE L1k3 this." VERY few of them know the first thing about programming.

Not a big deal (1)

Kenneth L. Hamer (958) | more than 15 years ago | (#2035433)

First, the change was easy enough to detect - the distribution is signed by Venema's PGP key. If a person downloading the source bothered to check the signature it would have been immediately obvious that something was screwy.

Second, it *was* detected and corrected very rapidly.

All in all, a success story.

- Ken

A now-proven hypothesis for OSS (1)

Kenneth L. Hamer (958) | more than 15 years ago | (#2035434)

That is absurd.

- Ken

A now-proven hypothesis for OSS (1)

Chemical Serenity (1324) | more than 15 years ago | (#2035435)

The idea that someone could embed a trojan, backdoor, or otherwise manevolent code into some publicly available app has been around for quite a long time now. Of course, when someone brings that idea up around a group of OSS advocates, the immediate response is "They'll be found out almost instantly."

As far as I'm aware, this is the first incident where some deliberate foul play was detected and handled. Guess those wacky OSS advocates were right. =)

--
rickf@transpect.SPAM-B-GONE.net (remove the SPAM-B-GONE bit)

CERT (1)

Matthew Kirkwood (1344) | more than 15 years ago | (#2035436)

Am I the only person surprised to see that CERT actually got an advisory out on the same day?

Now that I find disturbing :-)

Matthew.

Second tripwire (1)

Robin Hood (1507) | more than 15 years ago | (#2035437)

The first tripwire in this sort of attack is, as you suggest, signing of packages and sources you upload. As long as a cyptographically-strong signature (such as PGP) is used, this is usually enough to assure you that the sources haven't been modified. This will not protect against Trojans inserted by the legitimate authors, though, which is why a second tripwire is needed: source review. I'm not a network security expert, and I'm not really capable of reviewing packages: so I trust the PGP signature (at least for my home computer). But I also know that many sysadmins who run sensitive systems are properly paranoid and will not only check the PGP signature but ALSO scrutinize the source themselves. It's one of those paranoid sysadmins who caught the TCP-Wrapper Trojan, and it's one of those paranoid sysadmins who will catch the next Trojan inserted into Open-Source software.

So the only Open-Source Trojan that will really succeed is one put in place by a conspiracy of EVERY single sysadmin worldwide... I'm not worried.

This message has been brought to you by the Sysadmin Conspiracy: There Is No Sysadmin Conspiracy (tinsc).
-----

I wonder... (1)

marcus (1916) | more than 15 years ago | (#2035438)

...if it was a setup to show the OSS strength? IT seems too easy.

To whom is the email sent?
Who first discovered the trojans?
Was it someonet that downloaded the code?
Was it one of the sysadmins scanning the logs?

Answers to some of these questions will tell.

Not scary at all. (1)

Effugas (2378) | more than 15 years ago | (#2035439)

I repeat--the TCP Wrappers source attack isn't scary at all.

The hack went in on the 21st. It's now the 22nd, barely.

This is scary? It took one day to detect and handle a security problem? Closed source products can have security issues for years and years before their existence becomes public knowledge. Took them a day.

Indeed, it is only when attacks become "open source" in a sense that they're cured.

Once you pull the pin, Mr. Grenade is no longer your friend.

Whodoneit? (1)

dattaway (3088) | more than 15 years ago | (#2035440)

Who (or address) was the knucklhead where this came from? I'm thankful for MD5's. May the infinite pings of a thousand sysadmins infest his dialup connection.

I love it (1)

aheitner (3273) | more than 15 years ago | (#2035441)

when some jackass makes himself look like a fool with a false-first posting :)

we were warned (1)

hany (3601) | more than 15 years ago | (#2035442)

few months ago some guy warned about such a posibility

but i agree with Effugas: it's not that bad to have such a thing in open source software than in some closed source one; first one (open) can be handled for example by viewing source or choosing carefuly download site; but protect ourselves agains bugs/viruses/trojans distributed in closed source software is far more harder

encryption ... (1)

hany (3601) | more than 15 years ago | (#2035443)

yes ... you do not explain why but i agree

if we have fine crypto system with keys exchange then every piece of software could be signed by author/packager/producer/... and we should be able to authenticate the person and then trust him or download software from someone else

our slogan should be: sign what you produce
(i will ... soon :)

we were warned, but... (1)

hany (3601) | more than 15 years ago | (#2035444)

I fully agree with you

You have, but... (1)

Vitus Wagner (5911) | more than 15 years ago | (#2035445)

>This is just the reason why we need solid and unrestricted encryption software...

There was MD5 sum for this package and there was detached PGP signature.

But how often you care to check signatures when you are downloading a package. And it seems that anything at all can contain trojans.

Read a nice article [acm.org] by Ken Thompson about trojan in C compilier. Have you checked MD5 sum when you downloaded GCC binary last time? And as Thompson shows, recompiling GCC from sources with untrusted compilier doesn't help you.

A now-proven hypothesis for OSS (1)

Lightborn (7556) | more than 15 years ago | (#2035446)

That's a fallacious argument, since you can't prove that we have found all backdoors in OSS. The hypothesis is a self-fulfilling one...

Embrace And Extend??? (1)

PhilosopherKing (7890) | more than 15 years ago | (#2035447)

Dum Da-da Da Dumm!

An Observation (1)

BgCntry (8263) | more than 14 years ago | (#2035448)

Mr. Grenade doesn't become your friend until after you pull the pin.

$0.02

Don't be too eager to raid the FTP sites (1)

Cassius (9481) | more than 15 years ago | (#2035449)

I'm finding over time its prudent to let others raid Freshmeat for me and discover security flaws or even bugs before I bother downloading.

Logic 101 (1)

Omnifarious (11933) | more than 15 years ago | (#2035450)

Why what you say might very well be true, it doesn't say anything about the previous person's statement. Most of the general population are also not skilled programmers.

He (I assume) was saying that cracking does not strongly correlate to programming skills, not that it correlates more or less than some other activity.

Most of the crackers I've talked to are what the BBS world used to call ruggies, or rugrats. About 1-5% of them may, someday, grow up to be skilled programmers. Most people with the knowledge to develop new cracking techniques are also grown up enough not to use it.

Morale: don't rush for new src releases/betas???? (1)

Natedog (11943) | more than 15 years ago | (#2035451)

"Lets first someone test it for quite a while to save YOUR ass from trojans."

This trojan horse was not inserted by the authors of the package. Instead, it was inserted by someone that broke into the ftp site. This would be the same as breaking into MS web site and uploading a patch infected with a trojan horse. Waiting x amount of time has nothing to do with this.

"1. PGP key can be successfully forged."

??? PLEASE...who are you kidding. Do you know anything about cryptography. Forging a PGP sig is so unlikely that it would be more feasable for the offenter to physicaly force you to hand over your private key.

"FormatDriveC("bye");"

Go away troll - Linux/Unix does not use drive letters.

"How many of you review low level assembler routies present in Linux?"


_WHY_ would I do this?? Obviously you are from the MS world of closed source where you do not have access to the source code.

How did it happen? (1)

phred (14852) | more than 15 years ago | (#2035452)

Sure, it's cool that the problem was identified and snuffed in a day or so.

How the hell did it happen to begin with? CERT is always so coy about *that*.

Dropping this into tcpd is like tugging on Superman's cape. Someone is gonna get serious props from the kiddieZ for this one.

--------

we were warned, but... (1)

irqzero (15301) | more than 15 years ago | (#2035453)

It probably just put the idea in someone head...
Either that, or it's a conspiracy :)


Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...