|
|
Subscribe / Log in / New account

Re: Trojan/backdoor in fragroute 1.2 source distribution

[Posted June 4, 2002 by dennis] 

From:	 Dug Song <dugsong@monkey.org>
To:	 bugtraq@securityfocus.com
Subject: Re: Trojan/backdoor in fragroute 1.2 source distribution
Date:	 Fri, 31 May 2002 12:34:49 -0400
Cc:	 dsniff@monkey.org

On Fri, May 31, 2002 at 09:55:21AM +0200, Anders Nordby wrote:

> Although downloading it now seems safe, I think folks should know
> this.  The changes done were similar to what happened to irssi, but
> with a different IP.

monkey.org was compromised on May 14th, via an epic4-pre2.511
client-side hole which produced a shell to one of the local admin's
accounts. this was later used to reattach to one of his screen
sessions, which apparently had a root window open (su very bad!).

the dsniff-2.3, fragroute-1.2, and fragrouter-1.6 tarballs were all
modified at 3 AM on May 17th to include the same configure backdoor as
described in the irssi advisory. no other public web content was
modified, and the system was restored a week later, from scratch.
the correct checksums are:

MD5 (dsniff-2.3.tar.gz) = 183e336a45e38013f3af840bddec44b4
MD5 (fragroute-1.2.tar.gz) = 7e4de763fae35a50e871bdcd1ac8e23a
MD5 (fragrouter-1.6.tar.gz) = 73fdc73f8da0b41b995420ded00533cc

of the 1951 hosts that successfully downloaded one of the backdoored
tarballs, 992 of them were Windows machines and 193 were automated
ports downloads for the *BSD dsniff or fragrouter ports, leaving 746
Linux (and a few Solaris and MacOS) hosts potentially vulnerable, and
20 FreeBSD and OpenBSD hosts.

we have since migrated our system to OpenBSD-current, importing Niels
Provos' excellent systrace subsystem:

	http://www.citi.umich.edu/u/provos/systrace

which allows us to run all user sessions under a restricted syscall
policy (e.g. so an IRC client cannot exec(), open() anything outside
~/.irc, etc.), similar in spirit to Goldberg and Wagner's Janus
sandbox, or Cowen's SubDomain.

in the future, our software distributions may carry embedded
signatures via gzsig:

	http://www.monkey.org/~dugsong/gzsig-0.1.tar.gz

but for the time being, please be careful what you download, and
carefully audit or sandbox any third-party scripts or software you
run...

-d.

---
http://www.monkey.org/~dugsong/

to post comments


Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds