OpenSSH source trojan

[Compunuts]

If you have lately upgraded either source or from some binary, the trojan is in OpenBSD's source.

Since Debian binaries are updated BEFORE the source got trojaned, at least Debian is not affected taking the fact that you updated OpenSSH via apt-get ( and also some other distros which I dont' remember ). So if you are running OpenSSH, get the update from your distro supplier ASAP.

Now, OpenBSD has got one remote exploit. http://www.openbsd.org

[airhead]

The trojan, as far as anyone knows, only works when compiling from source. The binary is unaffected. All it does is contact a port on a computer which according to the guy on /. who claimed he owned it, is now formatted and reinstalled.

If you want to check your OpenSSH source, here is the MD5 sum of the untrojaned version:

459c1d0262e939d6432f193c7a4ba8a8

The trojaned version has the MD5 sum:

3ac9bc346d736b4a51d676faa2a08a57

[Ashcrow]

[quote author=Compunuts link=board=5;threadid=4436;start=0#44190 date=1028270783]
Now, OpenBSD has got one remote exploit. http://www.openbsd.org
[/quote]

What kind made me sad is that this could have been prevented. The server that houses the OpenBSD projects binaries/source runs Solaris (if I remember correctly). If only they used OpenBSD or NetBSD ther OpenSSH source probably wouldn't have gotten trojaned at the source at least. :

[Compunuts]

[quote author=segfault link=board=5;threadid=4436;start=0#44200 date=1028277072]
The trojan, as far as anyone knows, only works when compiling from source. The binary is unaffected.[/quote]
Not true.

The binaries are also infected if you've got the source that is also infected. It's just that the trojan will contact when compiling time to its server lettting it know that the box had been installed. After that, it's a sleeping snake and that's why they called it trojan instead of worm. Unless you have binaries from uninfected source tar balls such as Debian or a few others, you ARE infected. Upgrade your OpenSSH NOW.

[Compunuts]

[quote author=Ashcrow link=board=5;threadid=4436;start=0#44289 date=1028316824]
The server that houses the OpenBSD projects binaries/source runs Solaris (if I remember correctly).
[/quote]
Man, that's pathetic ...

At least hosting an OS related site, even for a commercial vendor, I would make sure they are running my own OS rather than others. I mean how stupid is that look if I'm telling people to run my own piece of software but I myself use others?? : . It's like telling how great Linux is and all but Red Hat site is hosted on Windows 2000 advanced server hosted box.

[GnuVince]

I have two things to say:
1. ftp.openbsd.org is a Sunsite, this means that it is run on Solaris. So OpenBSD was not hacked, it was Solaris

2. It was the portable version of OpenSSH that was trojaned (the one used on Linux, FreeBSD, etc.) The OpenBSD OpenSSH version was not touched and therefore, people using OpenBSD have nothing to worry about.

i have one thing to say:

1) how stupid can u be if u claim to have the most secure operating system and ur not even using it on your own server?

[GnuVince]

[quote author=Ralinx link=board=5;threadid=4436;start=0#44394 date=1028386412]
i have one thing to say:

1) how stupid can u be if u claim to have the most secure operating system and ur not even using it on your own server?
[/quote]

Need for bandwidth

[Schotty]

[quote author=Ralinx link=board=5;threadid=4436;start=0#44394 date=1028386412]
i have one thing to say:

1) how stupid can u be if u claim to have the most secure operating system and ur not even using it on your own server?
[/quote]

Hosting and mirroring. My bet is that they dont necessarily own the equipment. If that is the case, perhaps they will change that ....

they really should change that.. it just doesn't sound right to say "hey look at our OS.. .it's so secure and so great, oh but we're hosting it on Solaris though"

don't they have any source of income to get them their own server and bandwith?