To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=107790 Issue #|107790 Summary|Mirror Site Contains Compromised Code - URGENT Component|Installation Version|OOo 3.1.1 Platform|PC URL| OS/Version|Linux Status|UNCONFIRMED Status whiteboard| Keywords| Resolution| Issue type|DEFECT Priority|P1 Subcomponent|ui Assigned to|of Reported by|bmwmarv
------- Additional comments from bmwm...@openoffice.org Sun Dec 20 00:21:41 +0000 2009 ------- Downloaded OOo 3.1.1 today, ran the tar.gz, rather than extracting OOo, it extracted other software to my computer that contained Paros and Yersinia. Upon looking up information regarding this software, it is used for Layer 2 attacks and analysis. The 'yersinia.log' entry that it created is pasted below wherein the script attempted to stop pcap on my machine to prevent detection. Additionally, all of the file dates, including the log entry, did not agree with today's date, which I believe was an attempt to prevent detection of recently installed and executed applications. I do not know which mirror the software I downloaded initially originated from as I used the automatic download located here: http://download.openoffice.org/contribute.html?download=bouncer&product%3DOpenOffice.org%26os%3Dlinuxintelwjre%26lang%3Den-US%26version%3D3.1.1 The name of the file that I downloaded was OOo_3.1.1_LinuxIntel_install_wJRE_en-US.tar.gz. The folder the file created when I untarred it were a link to my desktop, a desktop config file entitled 'Set IP Address', a folder entitled 'paros' that contained an empty document entitled 'AcceptedLicense', config.xml, and paros.message.txt which contained the following: 2007-03-04 13:41:06,327 INFO Constant - Created directory /root/paros/ 2007-03-04 13:41:06,340 INFO Constant - Copying defaults from xml/config.xml to /root/paros/config.xml 2007-03-04 13:41:06,380 INFO Constant - Creating directory /root/paros/session 2007-03-04 13:41:06,381 INFO Paros - Paros 3.2.8 started. 2007-03-04 13:41:21,509 INFO PluginFactory - loaded plugin Password Autocomplete in browser 2007-03-04 13:41:21,511 INFO PluginFactory - loaded plugin Secure page browser cache 2007-03-04 13:41:21,511 INFO PluginFactory - loaded plugin Cross site scripting 2007-03-04 13:41:21,512 INFO PluginFactory - loaded plugin Cross site scripting without brackets 2007-03-04 13:41:21,513 INFO PluginFactory - loaded plugin Cold Fusion default file 2007-03-04 13:41:21,514 INFO PluginFactory - loaded plugin Lotus Domino default files 2007-03-04 13:41:21,515 INFO PluginFactory - loaded plugin IIS default file 2007-03-04 13:41:21,515 INFO PluginFactory - loaded plugin Macromedia JRun default files 2007-03-04 13:41:21,516 INFO PluginFactory - loaded plugin Tomcat source file disclosure 2007-03-04 13:41:21,517 INFO PluginFactory - loaded plugin BEA WebLogic example files 2007-03-04 13:41:21,518 INFO PluginFactory - loaded plugin IBM WebSphere default files 2007-03-04 13:41:21,520 INFO PluginFactory - loaded plugin Directory browsing 2007-03-04 13:41:21,522 INFO PluginFactory - loaded plugin Private IP disclosure 2007-03-04 13:41:21,523 INFO PluginFactory - loaded plugin Session ID in URL rewrite 2007-03-04 13:41:21,523 INFO PluginFactory - loaded plugin CRLF injection 2007-03-04 13:41:21,524 INFO PluginFactory - loaded plugin MS SQL Injection 2007-03-04 13:41:21,525 INFO PluginFactory - loaded plugin SQL Injection 2007-03-04 13:41:21,526 INFO PluginFactory - loaded plugin SQL Injection Fingerprinting 2007-03-04 13:41:21,527 INFO PluginFactory - loaded plugin Obsolete file 2007-03-04 13:41:21,527 INFO PluginFactory - loaded plugin Obsolete file extended check 2007-03-04 13:41:21,528 INFO PluginFactory - loaded plugin Parameter tampering 2007-03-04 13:41:21,529 INFO PluginFactory - loaded plugin Server side include 2007-03-04 13:41:22,000 INFO FilterFactory - loaded filter Change user agent to other browsers. 2007-03-04 13:41:22,001 INFO FilterFactory - loaded filter Detect insecure or potentially malicious content in HTTP responses. 2007-03-04 13:41:22,001 INFO FilterFactory - loaded filter Detect and alert 'Set-cookie' attempt in HTTP response for modification. 2007-03-04 13:41:22,001 INFO FilterFactory - loaded filter Avoid browser cache (strip off IfModifiedSince) 2007-03-04 13:41:22,002 INFO FilterFactory - loaded filter Log cookies sent by browser. 2007-03-04 13:41:22,002 INFO FilterFactory - loaded filter Log unique GET queries into file (filter/get.xls) 2007-03-04 13:41:22,002 INFO FilterFactory - loaded filter Log unique POST queries into file (filter/post.xls) 2007-03-04 13:41:22,003 INFO FilterFactory - loaded filter Log request and response into file (filter/message.txt) 2007-03-04 13:41:22,003 INFO FilterFactory - loaded filter Replace HTTP request body using defined pattern. 2007-03-04 13:41:22,003 INFO FilterFactory - loaded filter Replace HTTP request header using defined pattern. 2007-03-04 13:41:22,003 INFO FilterFactory - loaded filter Replace HTTP response body using defined pattern. 2007-03-04 13:41:22,004 INFO FilterFactory - loaded filter Replace HTTP response header using defined pattern. 2007-03-04 13:41:23,746 INFO MenuFileControl - new session file created 2007-03-04 13:41:48,916 INFO Spider - spider started. 2007-03-04 13:41:55,547 INFO Spider - Spider completed 2007-03-04 13:42:12,354 INFO MenuFileControl - Paros 3.2.8 terminated. The confix.xml file contained the following: 30020008 8080 localhost 8080 0 localhost 80 443 0 0 2 5 2 2 The 'paros' folder also contained a subfolder entitled 'session' which contained binaries entitled untitled1.data, untitled1.properties, untitled1.script. # yersinia v0.7 started in BT on Sun Mar 4 13:55:51 2007 eth1 iflinkname EN10MB eth1 iflinkdesc Ethernet eth1 MAC = 0050.8bc9.4fef g00dbye function called from -1218500384 ints_destroy started... ints_destroy killing pcap_listener(-1218503760)... thread_destroy -1218500384 destroying -1218503760... thread_destroy -1218500384 after PTHREAD_JOIN -1218503760... ints_destroy finished... Showing MOTD.. # yersinia finished on Sun Mar 4 13:55:52 2007 THIS IS CLEARLY NOT OpenOffice.org and appears to be malicious code. --------------------------------------------------------------------- Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@installation.openoffice.org For additional commands, e-mail: issues-h...@installation.openoffice.org --------------------------------------------------------------------- To unsubscribe, e-mail: allbugs-unsubscr...@openoffice.org For additional commands, e-mail: allbugs-h...@openoffice.org
