[pehrens@ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap trojan]

[pehrens@ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap trojan]

[Scott Howell]

Folks, I am subscribed to the list about Nmap. This info might e very 
interesting to folks. I have not had a chance to verify all the info nor 
have I seen anything from Bug Track, but that could be more a problem 
with not geting mail from my ISP. In any case, if anyone does know more, 
please share.

tnx


----- Forwarded message from Philip Ehrens <pehrens@ligo.caltech.edu> -----

Mailing-List: contact nmap-hackers-help@insecure.org; run by ezmlm
From: Philip Ehrens <pehrens@ligo.caltech.edu>
To: Fyodor <fyodor@insecure.org>
Cc: nmap-hackers@insecure.org
Subject: Re: Nmap *NOT* affected by libpcap trojan
Mail-Followup-To: Philip Ehrens <pehrens@lrxms.net>,
	Fyodor <fyodor@insecure.org>, nmap-hackers@insecure.org

I would like to point out that the type of trojan described below
is becoming increasingly common.  ftp.sendmail.org was compromised
recently and a similar trojan was placed in the sendmail source
tarball.

I know of at least 12 common packages that have had their source
tarballs compromised within the last 3 months on servers that were
considered secure.  The folks doign this have gone as far as to
hijack DNS and root machines on specific subnets in order to place
this type of trojan.

These trojans are activated during te build process of the source
tarball in most cases, usually the configure script contains some
variation of code that establishes a connection to a remote machine.

I believe that the folks doing this are actually trying to catch
certain specific machines or subnets, and are not doing this to
set up DDOS or just to own large numbers of boxes.  When I activated
one of these trojans while building a package all that happened was
that my /etc/passwd file was shipped off.  The machine listening on
the other end never did anything except stay connected for a while.

I expect to see more and more of this at an accellerating rate
from now on...  if you are letting root make remote connections
you are asking for trouble!

Sorry for using your list for this Fyodor, I won't do it again.

Phil

Fyodor wrote:
> I just wanted to send out a quick note that the version of libpcap
> shipped with Nmap does NOT contain the trojan described at:
> 
> http://hlug.fscker.com/
> http://slashdot.org/article.pl?sid=02/11/13/1255243&mode=nested&tid=172&threshold=3
> 
> Cheers,
> -F

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).

----- End forwarded message -----

Re: [pehrens@ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap trojan]

[Alex Snow]

Yeah that's why it's getting increasingly important to digitally sign files
before releasing them, so that way you can tell if someone screwed witht he
file.
Explorer has caused a general protection fault in module kernel32.dll. I'm
sick of Winblows!
----- Original Message -----
From: "Scott Howell" <showell@lrxms.net>
To: <speakup@braille.uwo.ca>
Sent: Wednesday, November 13, 2002 7:07 PM
Subject: [pehrens@ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap
trojan]


> Folks, I am subscribed to the list about Nmap. This info might e very
> interesting to folks. I have not had a chance to verify all the info nor
> have I seen anything from Bug Track, but that could be more a problem
> with not geting mail from my ISP. In any case, if anyone does know more,
> please share.
>
> tnx
>
>
> ----- Forwarded message from Philip Ehrens
<pehrens@ligo.caltech.edu> -----
>
> Mailing-List: contact nmap-hackers-help@insecure.org; run by ezmlm
> From: Philip Ehrens <pehrens@ligo.caltech.edu>
> To: Fyodor <fyodor@insecure.org>
> Cc: nmap-hackers@insecure.org
> Subject: Re: Nmap *NOT* affected by libpcap trojan
> Mail-Followup-To: Philip Ehrens <pehrens@lrxms.net>,
> Fyodor <fyodor@insecure.org>, nmap-hackers@insecure.org
>
> I would like to point out that the type of trojan described below
> is becoming increasingly common.  ftp.sendmail.org was compromised
> recently and a similar trojan was placed in the sendmail source
> tarball.
>
> I know of at least 12 common packages that have had their source
> tarballs compromised within the last 3 months on servers that were
> considered secure.  The folks doign this have gone as far as to
> hijack DNS and root machines on specific subnets in order to place
> this type of trojan.
>
> These trojans are activated during te build process of the source
> tarball in most cases, usually the configure script contains some
> variation of code that establishes a connection to a remote machine.
>
> I believe that the folks doing this are actually trying to catch
> certain specific machines or subnets, and are not doing this to
> set up DDOS or just to own large numbers of boxes.  When I activated
> one of these trojans while building a package all that happened was
> that my /etc/passwd file was shipped off.  The machine listening on
> the other end never did anything except stay connected for a while.
>
> I expect to see more and more of this at an accellerating rate
> from now on...  if you are letting root make remote connections
> you are asking for trouble!
>
> Sorry for using your list for this Fyodor, I won't do it again.
>
> Phil
>
> Fyodor wrote:
> > I just wanted to send out a quick note that the version of libpcap
> > shipped with Nmap does NOT contain the trojan described at:
> >
> > http://hlug.fscker.com/
> >
http://slashdot.org/article.pl?sid=02/11/13/1255243&mode=nested&tid=172&thre
shold=3
> >
> > Cheers,
> > -F
>
> --------------------------------------------------
> For help using this (nmap-hackers) mailing list, send a blank email to
> nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).
>
> ----- End forwarded message -----
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>

Re: [pehrens@ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap trojan]

[Igor Gueths]

Also if you digitally sign a file make sure there's some kind of
convention established for what encryption algorithm (s)/decrypters are
used. For example, have a note about gnupg is required to varify the
signature, etc. I know knerlel.org, for a fact, digitally signs some of
their files. Especially the source tree for the stable kernels, and I
think for developmental as well.

May you code in the power of the source,
may the kernel, libraries, and utilities be with you,
throughout all distributions until the end of the epoch.

On Wed, 13 Nov 2002, Alex Snow wrote:

> Yeah that's why it's getting increasingly important to digitally sign files
> before releasing them, so that way you can tell if someone screwed witht he
> file.
> Explorer has caused a general protection fault in module kernel32.dll. I'm
> sick of Winblows!
> ----- Original Message -----
> From: "Scott Howell" <showell@lrxms.net>
> To: <speakup@braille.uwo.ca>
> Sent: Wednesday, November 13, 2002 7:07 PM
> Subject: [pehrens@ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap
> trojan]
>
>
> > Folks, I am subscribed to the list about Nmap. This info might e very
> > interesting to folks. I have not had a chance to verify all the info nor
> > have I seen anything from Bug Track, but that could be more a problem
> > with not geting mail from my ISP. In any case, if anyone does know more,
> > please share.
> >
> > tnx
> >
> >
> > ----- Forwarded message from Philip Ehrens
> <pehrens@ligo.caltech.edu> -----
> >
> > Mailing-List: contact nmap-hackers-help@insecure.org; run by ezmlm
> > From: Philip Ehrens <pehrens@ligo.caltech.edu>
> > To: Fyodor <fyodor@insecure.org>
> > Cc: nmap-hackers@insecure.org
> > Subject: Re: Nmap *NOT* affected by libpcap trojan
> > Mail-Followup-To: Philip Ehrens <pehrens@lrxms.net>,
> > Fyodor <fyodor@insecure.org>, nmap-hackers@insecure.org
> >
> > I would like to point out that the type of trojan described below
> > is becoming increasingly common.  ftp.sendmail.org was compromised
> > recently and a similar trojan was placed in the sendmail source
> > tarball.
> >
> > I know of at least 12 common packages that have had their source
> > tarballs compromised within the last 3 months on servers that were
> > considered secure.  The folks doign this have gone as far as to
> > hijack DNS and root machines on specific subnets in order to place
> > this type of trojan.
> >
> > These trojans are activated during te build process of the source
> > tarball in most cases, usually the configure script contains some
> > variation of code that establishes a connection to a remote machine.
> >
> > I believe that the folks doing this are actually trying to catch
> > certain specific machines or subnets, and are not doing this to
> > set up DDOS or just to own large numbers of boxes.  When I activated
> > one of these trojans while building a package all that happened was
> > that my /etc/passwd file was shipped off.  The machine listening on
> > the other end never did anything except stay connected for a while.
> >
> > I expect to see more and more of this at an accellerating rate
> > from now on...  if you are letting root make remote connections
> > you are asking for trouble!
> >
> > Sorry for using your list for this Fyodor, I won't do it again.
> >
> > Phil
> >
> > Fyodor wrote:
> > > I just wanted to send out a quick note that the version of libpcap
> > > shipped with Nmap does NOT contain the trojan described at:
> > >
> > > http://hlug.fscker.com/
> > >
> http://slashdot.org/article.pl?sid=02/11/13/1255243&mode=nested&tid=172&thre
> shold=3
> > >
> > > Cheers,
> > > -F
> >
> > --------------------------------------------------
> > For help using this (nmap-hackers) mailing list, send a blank email to
> > nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).
> >
> > ----- End forwarded message -----
> >
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>

Re: [pehrens@ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap trojan]

[Alex Snow]

Yeah that's what I do with all the freenet packages on my server.
Explorer has caused a general protection fault in module kernel32.dll. I'm
sick of Winblows!
----- Original Message -----
From: "Igor Gueths" <igueths@attbi.com>
To: <speakup@braille.uwo.ca>
Sent: Wednesday, November 13, 2002 8:04 PM
Subject: Re: [pehrens@ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap
trojan]


> Also if you digitally sign a file make sure there's some kind of
> convention established for what encryption algorithm (s)/decrypters are
> used. For example, have a note about gnupg is required to varify the
> signature, etc. I know knerlel.org, for a fact, digitally signs some of
> their files. Especially the source tree for the stable kernels, and I
> think for developmental as well.
>
> May you code in the power of the source,
> may the kernel, libraries, and utilities be with you,
> throughout all distributions until the end of the epoch.
>
> On Wed, 13 Nov 2002, Alex Snow wrote:
>
> > Yeah that's why it's getting increasingly important to digitally sign
files
> > before releasing them, so that way you can tell if someone screwed witht
he
> > file.
> > Explorer has caused a general protection fault in module kernel32.dll.
I'm
> > sick of Winblows!
> > ----- Original Message -----
> > From: "Scott Howell" <showell@lrxms.net>
> > To: <speakup@braille.uwo.ca>
> > Sent: Wednesday, November 13, 2002 7:07 PM
> > Subject: [pehrens@ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap
> > trojan]
> >
> >
> > > Folks, I am subscribed to the list about Nmap. This info might e very
> > > interesting to folks. I have not had a chance to verify all the info
nor
> > > have I seen anything from Bug Track, but that could be more a problem
> > > with not geting mail from my ISP. In any case, if anyone does know
more,
> > > please share.
> > >
> > > tnx
> > >
> > >
> > > ----- Forwarded message from Philip Ehrens
> > <pehrens@ligo.caltech.edu> -----
> > >
> > > Mailing-List: contact nmap-hackers-help@insecure.org; run by ezmlm
> > > From: Philip Ehrens <pehrens@ligo.caltech.edu>
> > > To: Fyodor <fyodor@insecure.org>
> > > Cc: nmap-hackers@insecure.org
> > > Subject: Re: Nmap *NOT* affected by libpcap trojan
> > > Mail-Followup-To: Philip Ehrens <pehrens@lrxms.net>,
> > > Fyodor <fyodor@insecure.org>, nmap-hackers@insecure.org
> > >
> > > I would like to point out that the type of trojan described below
> > > is becoming increasingly common.  ftp.sendmail.org was compromised
> > > recently and a similar trojan was placed in the sendmail source
> > > tarball.
> > >
> > > I know of at least 12 common packages that have had their source
> > > tarballs compromised within the last 3 months on servers that were
> > > considered secure.  The folks doign this have gone as far as to
> > > hijack DNS and root machines on specific subnets in order to place
> > > this type of trojan.
> > >
> > > These trojans are activated during te build process of the source
> > > tarball in most cases, usually the configure script contains some
> > > variation of code that establishes a connection to a remote machine.
> > >
> > > I believe that the folks doing this are actually trying to catch
> > > certain specific machines or subnets, and are not doing this to
> > > set up DDOS or just to own large numbers of boxes.  When I activated
> > > one of these trojans while building a package all that happened was
> > > that my /etc/passwd file was shipped off.  The machine listening on
> > > the other end never did anything except stay connected for a while.
> > >
> > > I expect to see more and more of this at an accellerating rate
> > > from now on...  if you are letting root make remote connections
> > > you are asking for trouble!
> > >
> > > Sorry for using your list for this Fyodor, I won't do it again.
> > >
> > > Phil
> > >
> > > Fyodor wrote:
> > > > I just wanted to send out a quick note that the version of libpcap
> > > > shipped with Nmap does NOT contain the trojan described at:
> > > >
> > > > http://hlug.fscker.com/
> > > >
> >
http://slashdot.org/article.pl?sid=02/11/13/1255243&mode=nested&tid=172&thre
> > shold=3
> > > >
> > > > Cheers,
> > > > -F
> > >
> > > --------------------------------------------------
> > > For help using this (nmap-hackers) mailing list, send a blank email to
> > > nmap-hackers-help@insecure.org . List run by ezmlm-idx
(www.ezmlm.org).
> > >
> > > ----- End forwarded message -----
> > >
> > > _______________________________________________
> > > Speakup mailing list
> > > Speakup@braille.uwo.ca
> > > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> > >
> >
> >
> > _______________________________________________
> > Speakup mailing list
> > Speakup@braille.uwo.ca
> > http://speech.braille.uwo.ca/mailman/listinfo/speakup
> >
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>