similar to: OpenSSH Security Advisory: Trojaned Distribution Files

Hi, FYI: ------------------------------------------------------ http://docs.freebsd.org/cgi/getmsg.cgi?fetch=394609+0+current/freebsd-security ------------------------------------------------------ >Greetings, > >Just want to inform you that the OpenSSH package op ftp.openbsd.org >(and probably all its mirrors now) it trojaned: > >

Below the trojaned and clean md5s are given. ---------- Forwarded message ---------- Date: Thu, 1 Aug 2002 13:39:22 +0200 From: Magnus Bodin <magnus at bodin.org> To: Wojtek Pilorz <wpilorz at bdk.pl> Cc: openssh-unix-dev at mindrot.org Subject: Re: openssh-3.4p1.tar.gz on ftp.openbsd.org changing rather than frozen On Thu, Aug 01, 2002 at 09:20:29AM +0200, Wojtek Pilorz wrote:

-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-21 GNU Project FTP Server Compromise Original issue date: August 13, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Overview The CERT/CC has received a report that the system housing the primary FTP servers for the GNU software project was compromised. I. Description

I have seen that file ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz is continuosly changing. This seems strange to me as I expected it should be a 'frozen' file; The signature and diff file are still dated Jun 26. I am wondering whether this is intentional. Best regards, Wojtek

The trojaned ssh client is nothing new to the hacker community, and the statement in the previous thread claiming "This type of man-in-the-middle attack (trojaned ssh) is not theoretical anymore, and password authentication is broken." is an example of how many poeple still think "hacking" is something very difficult and nothing short of a genius is required to make the

just upgraded to OpenSSH 3.2.2p1 on a box running Solaris 7. now I get the following when logging on: Warning: no access to tty (Inappropriate ioctl for device). Thus no job control in this shell. everything works alright with 3.0p1, but 3.1p1 and 3.2.2p1 seems to have this problem. jakob

>From http://www.apache.org/info/20010519-hack.html: "The ssh client at SourceForge had been compromised to log outgoing names and passwords, so the cracker was thus able get a shell on apache.org." user's ssh --> SF's ssh --> apache.org's sshd So basically the user's password was entered in the clear to an untrusted program (SF's ssh). Never mind that

Update, for those that want to know... The attacker used a worm or bot that tried hundreds (if not thousands) of connections through SMBD. (Samba). I was running 2.2.7. I noticed the attempts for a week, but the log file always showed "access denied" so I wasn't too worried about it. Well, obviously, one of those attempts got through... At this time, the worm (or bot) modified

Hi All, I compiled the 3.2.3p1 source on SCO OpenServer 5.0.6. When a client connects to it now, they get stair-stepping everywhere. Issuing an stty sane resolves the issue for that login. For bug 245 in 3.2.2p1, the call to setsid() is sshd.c was bypassed due to problems it was causing with Solaris. However, by allowing this method to be called, the stair-stepping goes away. Thanks, Greg

XMCD is a popular unix audio cd-player with a unique feature that it will query remote databases over the Internet to determine the title, group, and song list for cds that are being played. The remote database of compact discs has become quite popular and is now supported by several Windows based cd players as well, including EasyCD2, DiscPlay, MyCDPLayer, and WinMCD. XMCD source is available

Talking about openssh-3.2.2p1 The configure script erroneously reporting the md5-password status. The script, when activated with "--with-md5-passwords" correctly sets the config.h but reporting "MD5 password support: no" Seems that is due to a bug in configure.ac, line 2026 Kind regards, Kagan Kongar

I've noticed the following behavior on files that are overwritten with an scp command and I can't decide if this is intended behavior or a bug? Can someone with a little more insight please share the reasoning for this (if any)? I've tested this with a mix of 3.4p1 and 3.5p1 hosts. Suppose we have 2 files on different hosts, with different group ownership and permissions. user1 is not

http://bugzilla.mindrot.org/show_bug.cgi?id=379 Summary: difficult to find the openssh code signing key on openssh.org. Product: Portable OpenSSH Version: -current Platform: Other OS/Version: other Status: NEW Severity: normal Priority: P2 Component: Documentation AssignedTo:

-----Original Message----- From: Loomis, Rip Sent: Tuesday, 19 June, 2001 09:10 To: 'geoff at raye.com' Subject: RE: poor permissions on ssh binary Geoff-- You stated that you consider it "a poor choice of permissions" to install the ssh binary as mode 0711. Since it will run perfectly with even more restrictive permissions (we typically install it mode 0511 here), what is

Crap. I hit send too fast. Last sentence in first paragraph should have read "no completely secure way" for authentication to be passed-- because the agent-based forwarding program could have been compromised as well--except for the cases already mentioned such as SRP and RSAAuth where the auth. information is better protected. Even if the SF server had been capable of forwarding the

All-- But it's not as simple as forwarding the password-based authentication. Regardless of what method was used to SSH from system one (user's) to system two (SF), the user then started up *a second* SSH session to go from two (SF) to three (Apache). There is no effective way for any authentication information from the first session to be passed to the second, in my mind. Remember

Add -n to the ssh command line - see if that fixes it. Nico -- > -----Original Message----- > From: Eric Garff [mailto:egarff at omniture.com] > Sent: Wednesday, August 07, 2002 11:15 AM > To: openssh-unix-dev at mindrot.org > Subject: Re: so-called-hang-on-exit > > > That may be, but it only "hangs" when run from cron, if I run it > manually it executes

Hi, I am running dovecot 0.99-14 on a Fedora Core 2 machine. I had a few questions: 1) I wanted to upgrade to the dovecot-1.0 release. However, I am not sure if that's really required. dovecot-0.99-14 has been running very well for me for quite some time. Is there a real advantage to switching to the latest release. The reason I'm asking this is because: i) I don't have too

Hi there I've just upgraded to openssh-3.2.2p1 from openssh-1.2.3 and am having some difficulties. On one of the platforms I'm using (linux kernel 2.2.19 with glibc 2.1.1) it works fine, but on another (linux kernel 2.2.20 with glibc 2.0.7) I get this in the syslog every time I log in: sshd[12277]: Accepted publickey for root from 212.38.67.158 port 2397 ssh2 PAM_pwdb[12277]: (sshd)

Here are the new versions of this widely used patch for OpenSSH 3.2.2p1 and 3.2.3p1. The patch avoids waiting to long when using ssh() or scp() on a down host, it is usefull when you have to update many hosts via rsync or rdist themselves relying upon ssh(). It enables a new option 'ConnectTimeout' to control exactly the timeout value, so that it can be used even on slow links. These