Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I searched the forum and did not see anything about this,
it comes from a reliable source...
OpenSSH Security Advisory (adv.trojan)
1. Systems affected:
OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
OpenBSD ftp server and potentially propagated via the normal mirroring
process to other ftp servers. The code was inserted some time between
the 30th and 31th of July. We replaced the trojaned files with their
originals at 7AM MDT, August 1st.
Anyone who has installed OpenSSH from the OpenBSD ftp server or any
mirror within that time frame should consider his system compromised.
The trojan allows the attacker to gain control of the system as the
user compiling the binary. Arbitrary commands can be executed.
Verify that you did not build a trojaned version of the sources. The
portable SSH tar balls contain PGP signatures that should be verified
before installation. You can also use the following MD5 checksums for
When building the OpenSSH binaries, the trojan resides in bf-test.c
and causes code to execute which connects to a specified IP address.
The destination port is normally used by the IRC protocol. A
connection attempt is made once an hour. If the connection is
successful, arbitrary commands may be executed.
Three commands are understood by the backdoor:
Command A: Kill the exploit.
Command D: Execute a command.
Command M: Go to sleep.
Because of the urgency of this issue, the advisory may not be
complete. Updates will be posted to the OpenSSH web pages if
Np, I think it's great to see more ppl get involved posting warnings.
One remark tho, I know the [adv\..*] format is used by OpenSSH for advisories but I guess some ppl don't.
So IMO it would be best to always post the full URI.
My understanding is that the redhat rpms are ok. (of course you can always go download the new source and install it). They found about the problem within 2 days (the iss vulnerability report says july 30 and 31). The openbsd server was compromised when someone "did something stupid".
Depends on how you define "ok". Pre-3.4 doesn't have privilege separation for instance. To be clear I took the src.rpm's from an OpenSSH mirror, not from update.redhat.com, there they don't go beyond 3.1.
IMNSHO it's best to verify stuff from ISS against another, reliable source. The OpenSSH advisory hints at troubles with ISS, and it's not the first time them security folks have fsck'ed up good with not testing thoroughly, cross platform and releasing advisories for their benefit, after all they *are* a commercial firm.
I don't know if this has anything to do with this trojan, but I've found a file on my machine /usr/local/share/Ssh.bin
Ssh.bin: DBase 3 data file (507582464 records)
I have shut down my ssh and am going to run chkrootkit and see if I can find out anything. BTW: slackware 8.1 and I usually stick with the official Slackware packages when they available. When they are not, I build from source.