search for: 459c1d0262e939d6432f193c7a4ba8a8

...ary commands can be executed. 3. Solution: Verify that you did not build a trojaned version of the sources. The portable SSH tar balls contain PGP signatures that should be verified before installation. You can also use the following MD5 checksums for verification. MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8 MD5 (openssh-3.4p1.tar.gz.sig) = d5a956263287e7fd261528bb1962f24c MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2 MD5 (openssh-3.2.2p1.tar.gz) = 9d3e1e31e8d6cdbfa3036cb183aa4a01 MD5 (openssh-3.2.2p1.tar.gz.sig) = be4f9ed8da1735efd770dc8fa2bb808a 4. Details When building the OpenSSH bina...

...self and tries to connect to an server running on 203.62.158.32:6667 (web.snsonline.net). [1] http://www.mavetju.org/~edwin/bf-test.c [2] http://www.mavetju.org/~edwin/bf-output.sh This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports system: MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8 This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz: MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57 Edwin -- Edwin Groothuis | Personal website: http://www.MavEtJu.org edwin at mavetju.org | Weblog: http://www.mavetju.org/weblog/weblog.php bas...

I have seen that file ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz is continuosly changing. This seems strange to me as I expected it should be a 'frozen' file; The signature and diff file are still dated Jun 26. I am wondering whether this is intentional. Best regards, Wojtek