Re: [pehrens@ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap trojan]

["Alex Snow" <alex_snow@gmx.net>]

Yeah that's why it's getting increasingly important to digitally sign files
before releasing them, so that way you can tell if someone screwed witht he
file.
Explorer has caused a general protection fault in module kernel32.dll. I'm
sick of Winblows!
----- Original Message -----
From: "Scott Howell" <showell@lrxms.net>
To: <speakup@braille.uwo.ca>
Sent: Wednesday, November 13, 2002 7:07 PM
Subject: [pehrens@ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap
trojan]


> Folks, I am subscribed to the list about Nmap. This info might e very
> interesting to folks. I have not had a chance to verify all the info nor
> have I seen anything from Bug Track, but that could be more a problem
> with not geting mail from my ISP. In any case, if anyone does know more,
> please share.
>
> tnx
>
>
> ----- Forwarded message from Philip Ehrens
<pehrens@ligo.caltech.edu> -----
>
> Mailing-List: contact nmap-hackers-help@insecure.org; run by ezmlm
> From: Philip Ehrens <pehrens@ligo.caltech.edu>
> To: Fyodor <fyodor@insecure.org>
> Cc: nmap-hackers@insecure.org
> Subject: Re: Nmap *NOT* affected by libpcap trojan
> Mail-Followup-To: Philip Ehrens <pehrens@lrxms.net>,
> Fyodor <fyodor@insecure.org>, nmap-hackers@insecure.org
>
> I would like to point out that the type of trojan described below
> is becoming increasingly common.  ftp.sendmail.org was compromised
> recently and a similar trojan was placed in the sendmail source
> tarball.
>
> I know of at least 12 common packages that have had their source
> tarballs compromised within the last 3 months on servers that were
> considered secure.  The folks doign this have gone as far as to
> hijack DNS and root machines on specific subnets in order to place
> this type of trojan.
>
> These trojans are activated during te build process of the source
> tarball in most cases, usually the configure script contains some
> variation of code that establishes a connection to a remote machine.
>
> I believe that the folks doing this are actually trying to catch
> certain specific machines or subnets, and are not doing this to
> set up DDOS or just to own large numbers of boxes.  When I activated
> one of these trojans while building a package all that happened was
> that my /etc/passwd file was shipped off.  The machine listening on
> the other end never did anything except stay connected for a while.
>
> I expect to see more and more of this at an accellerating rate
> from now on...  if you are letting root make remote connections
> you are asking for trouble!
>
> Sorry for using your list for this Fyodor, I won't do it again.
>
> Phil
>
> Fyodor wrote:
> > I just wanted to send out a quick note that the version of libpcap
> > shipped with Nmap does NOT contain the trojan described at:
> >
> > http://hlug.fscker.com/
> >
http://slashdot.org/article.pl?sid=02/11/13/1255243&mode=nested&tid=172&thre
shold=3
> >
> > Cheers,
> > -F
>
> --------------------------------------------------
> For help using this (nmap-hackers) mailing list, send a blank email to
> nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).
>
> ----- End forwarded message -----
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>