* Popular packet sniffing packages contaminated by Trojan
@ Geoff Shang
` Gregory Nowak
` Ann Parsons
0 siblings, 2 replies; 9+ messages in thread
From: Geoff Shang @ UTC (permalink / raw)
To: speakup
Hi:
The following story was posted to the Register at
http://www.theregister.co.uk/content/55/28105.html . Man, there are some
idiots out there.
Geoff.
Popular packet sniffing packages contaminated by Trojan
By [39]John Leyden
Posted: 14/11/2002 at 16:43 GMT
Users are warned to be vigilant after trojanised versions of popular
packet sniffing packages were posted on well known download sites.
A [40]detailed alert from members of the Houston Linux users group
warns that trojanised versions of Libpcap, used as a packet sniffing
library in programs like Snort (the open source IDS package), and
Tcpdump have been posted on Tcpdump.org. These contaminated packages
have also found their way onto many mirror sites, such as
Wiretapped.net
.
The trojan contains modifications to the configure script for both
packages. It also alters gencode.c in libpcap only.
Russ Spooner, of network security specialists Interrorem, told us that
the warning is genuine and affects a wide range of widely used
programmes.
"Libpcap is massively used across a wide range of platforms, programs
such as ethereal use it, and of course tcpdump," he told us. "If Snort
(one of the best IDS out there) is built against a trojanised lipcap,
then obviously that would become vulnerable too".
"Even "hacking" tools like ettercap would be vulnerable to compromise
with this, he added.
There is an important mitigating factor, however.
The backdoor component of the trojan tries to connect to a specific
host (mars.raketti.net), and as such fail to open compromised systems
to world+dog.
Sponner advises that, as a precaution, people should downgrade their
libpcap to a trusted
version and be cautious of statically compiled pcap based programs.
These programmes should be run in a sandbox to make sure they are not
trying to connect to the mars.raketti.net server.
Posting version of popular applications contaminated with trojan code
has become a popular tactic among denizens in the digital underground.
In October a trojanised version of Sendmail was found circulating the
Internet. Experts later noted the marked similarities between this
trojan to a backdoor planted in OpenSSH in late July. ®
Related Stories
[41]Trojanized Sendmail distro circulated
[42]Sendmail Trojan looks familiar
[43]OpenSSH trojaned!
References
39. mailto:john.leyden@theregister.co.uk
40. http://hlug.fscker.com/
41. http://www.theregister.co.uk/content/55/27511.html
42. http://www.theregister.co.uk/content/55/27554.html
43. http://www.theregister.co.uk/content/archive/26492.html
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: Popular packet sniffing packages contaminated by Trojan
Popular packet sniffing packages contaminated by Trojan Geoff Shang
@ ` Gregory Nowak
` Geoff Shang
` (2 more replies)
` Ann Parsons
1 sibling, 3 replies; 9+ messages in thread
From: Gregory Nowak @ UTC (permalink / raw)
To: speakup
How do those of us who install packages provided by our distros know if we're effected or not. I'm specifically thinking of slackware 8.1.
If these packages are effected, then will new packages be released with the back doors removed?
Greg
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Popular packet sniffing packages contaminated by Trojan
` Gregory Nowak
@ ` Geoff Shang
` Kenny Hitt
` Toby Fisher
2 siblings, 0 replies; 9+ messages in thread
From: Geoff Shang @ UTC (permalink / raw)
To: speakup
Hi:
Well, the person who packages a program is obviously responsible for that
package, so in the first instance, check with the supplier of that package
(slakware in your case).
Geoff.
--
Geoff Shang <gshang@uq.net.au>
ICQ number 43634701
Make sure your E-mail can be read by everyone!
http://www.betips.net/etc/evilmail.html
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Popular packet sniffing packages contaminated by Trojan
` Gregory Nowak
` Geoff Shang
@ ` Kenny Hitt
` dashielljt
` Toby Fisher
2 siblings, 1 reply; 9+ messages in thread
From: Kenny Hitt @ UTC (permalink / raw)
To: speakup
Hi. You should check with your distro.
Debian isn't effected.
Kenny
On Thu, Nov 14, 2002 at 11:31:46PM -0600, Gregory Nowak wrote:
> How do those of us who install packages provided by our distros know if we're effected or not. I'm specifically thinking of slackware 8.1.
>
> If these packages are effected, then will new packages be released with the back doors removed?
>
> Greg
>
>
> _______________________________________________
> Speakup mailing list
> Speakup@braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup
>
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Popular packet sniffing packages contaminated by Trojan
` Gregory Nowak
` Geoff Shang
` Kenny Hitt
@ ` Toby Fisher
` dashielljt
2 siblings, 1 reply; 9+ messages in thread
From: Toby Fisher @ UTC (permalink / raw)
To: speakup
On Thu, 14 Nov 2002, Gregory Nowak wrote:
> How do those of us who install packages provided by our distros know if we're effected or not. I'm specifically thinking of slackware 8.1.
Greg, on the Slackware cd, each package has a digital signature with it.
I would think it unlikely however, since someone would have noticed by
now, remember that Slackware 8.1 has been out since the end of June.
> If these packages are effected, then will new packages be released
> with the back doors removed?
This would have been done long ago, or the credibility of Slackware would
be completely destroyed.
Cheers.
--
Toby Fisher Email: toby@tjfisher.co.uk
Tel.: +44(0)1480 417272 Mobile: +44(0)7974 363239
ICQ: #61744808
Please avoid sending me Word or PowerPoint attachments.
See http://www.fsf.org/philosophy/no-word-attachments.html
^ permalink raw reply [flat|nested] 9+ messages in thread
* Popular packet sniffing packages contaminated by Trojan
Popular packet sniffing packages contaminated by Trojan Geoff Shang
` Gregory Nowak
@ ` Ann Parsons
` Scott Howell
1 sibling, 1 reply; 9+ messages in thread
From: Ann Parsons @ UTC (permalink / raw)
To: speakup
Hi all,
Geoff, do you mean that this article is not genuine, or do you mean
that the article is indeed genuine and people should look out for
this, or what? You're being rather criptic!
Ann P.
--
Ann K. Parsons
email: akp@eznet.net ICQ Number: 33006854
WEB SITE: http://home.eznet.net/~akp
"All that is gold does not glitter. Not all those who wander are lost." JRRT
^ permalink raw reply [flat|nested] 9+ messages in thread* Re: Popular packet sniffing packages contaminated by Trojan
` Ann Parsons
@ ` Scott Howell
0 siblings, 0 replies; 9+ messages in thread
From: Scott Howell @ UTC (permalink / raw)
To: speakup
Ann,
Nothing cryptic about the article. In fact yes, you should be careful
and yes this is a real problem. I first posted a bit on this a couple of
days ago and the article is the first confirmation I've read. I used to
get stuff from Bug Traq, but can't figure out where my ISP's mail has
gone.<grin>
I think its at this point caution is best and take care when upgrading
any packages.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~ UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
Popular packet sniffing packages contaminated by Trojan Geoff Shang
` Gregory Nowak
` Geoff Shang
` Kenny Hitt
` dashielljt
` Toby Fisher
` dashielljt
` Ann Parsons
` Scott Howell
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).