To comment on the following update, log in, then open the issue:
http://www.openoffice.org/issues/show_bug.cgi?id=107790
Issue #|107790
Summary|Mirror Site Contains Compromised Code - URGENT
Component|Installation
Version|OOo 3.1.1
Platform|PC
URL|
OS/Version|Linux
Status|UNCONFIRMED
Status whiteboard|
Keywords|
Resolution|
Issue type|DEFECT
Priority|P1
Subcomponent|ui
Assigned to|of
Reported by|bmwmarv
--- Additional comments from bmwm...@openoffice.org Sun Dec 20 00:21:41
+ 2009 ---
Downloaded OOo 3.1.1 today, ran the tar.gz, rather than extracting OOo, it
extracted other software to my computer that contained Paros and Yersinia. Upon
looking up information regarding this software, it is used for Layer 2 attacks
and analysis. The 'yersinia.log' entry that it created is pasted below wherein
the script attempted to stop pcap on my machine to prevent detection.
Additionally, all of the file dates, including the log entry, did not agree with
today's date, which I believe was an attempt to prevent detection of recently
installed and executed applications.
I do not know which mirror the software I downloaded initially originated from
as I used the automatic download located here:
http://download.openoffice.org/contribute.html?download=bouncer&product%3DOpenOffice.org%26os%3Dlinuxintelwjre%26lang%3Den-US%26version%3D3.1.1
The name of the file that I downloaded was
OOo_3.1.1_LinuxIntel_install_wJRE_en-US.tar.gz.
The folder the file created when I untarred it were a link to my desktop, a
desktop config file entitled 'Set IP Address', a folder entitled 'paros' that
contained an empty document entitled 'AcceptedLicense', config.xml, and
paros.message.txt which contained the following:
2007-03-04 13:41:06,327 INFO Constant - Created directory /root/paros/
2007-03-04 13:41:06,340 INFO Constant - Copying defaults from xml/config.xml to
/root/paros/config.xml
2007-03-04 13:41:06,380 INFO Constant - Creating directory /root/paros/session
2007-03-04 13:41:06,381 INFO Paros - Paros 3.2.8 started.
2007-03-04 13:41:21,509 INFO PluginFactory - loaded plugin Password
Autocomplete in browser
2007-03-04 13:41:21,511 INFO PluginFactory - loaded plugin Secure page browser
cache
2007-03-04 13:41:21,511 INFO PluginFactory - loaded plugin Cross site scripting
2007-03-04 13:41:21,512 INFO PluginFactory - loaded plugin Cross site scripting
without brackets
2007-03-04 13:41:21,513 INFO PluginFactory - loaded plugin Cold Fusion default
file
2007-03-04 13:41:21,514 INFO PluginFactory - loaded plugin Lotus Domino default
files
2007-03-04 13:41:21,515 INFO PluginFactory - loaded plugin IIS default file
2007-03-04 13:41:21,515 INFO PluginFactory - loaded plugin Macromedia JRun
default files
2007-03-04 13:41:21,516 INFO PluginFactory - loaded plugin Tomcat source file
disclosure
2007-03-04 13:41:21,517 INFO PluginFactory - loaded plugin BEA WebLogic example
files
2007-03-04 13:41:21,518 INFO PluginFactory - loaded plugin IBM WebSphere
default files
2007-03-04 13:41:21,520 INFO PluginFactory - loaded plugin Directory browsing
2007-03-04 13:41:21,522 INFO PluginFactory - loaded plugin Private IP
disclosure
2007-03-04 13:41:21,523 INFO PluginFactory - loaded plugin Session ID in URL
rewrite
2007-03-04 13:41:21,523 INFO PluginFactory - loaded plugin CRLF injection
2007-03-04 13:41:21,524 INFO PluginFactory - loaded plugin MS SQL Injection
2007-03-04 13:41:21,525 INFO PluginFactory - loaded plugin SQL Injection
2007-03-04 13:41:21,526 INFO PluginFactory - loaded plugin SQL Injection
Fingerprinting
2007-03-04 13:41:21,527 INFO PluginFactory - loaded plugin Obsolete file
2007-03-04 13:41:21,527 INFO PluginFactory - loaded plugin Obsolete file
extended check
2007-03-04 13:41:21,528 INFO PluginFactory - loaded plugin Parameter tampering
2007-03-04 13:41:21,529 INFO PluginFactory - loaded plugin Server side include
2007-03-04 13:41:22,000 INFO FilterFactory - loaded filter Change user agent to
other browsers.
2007-03-04 13:41:22,001 INFO FilterFactory - loaded filter Detect insecure or
potentially malicious content in HTTP responses.
2007-03-04 13:41:22,001 INFO FilterFactory - loaded filter Detect and alert
'Set-cookie' attempt in HTTP response for modification.
2007-03-04 13:41:22,001 INFO FilterFactory - loaded filter Avoid browser cache
(strip off IfModifiedSince)
2007-03-04 13:41:22,002 INFO FilterFactory - loaded filter Log cookies sent by
browser.
2007-03-04 13:41:22,002 INFO FilterFactory - loaded filter Log unique GET
queries into file (filter/get.xls)
2007-03-04 13:41:22,002 INFO FilterFactory - loaded filter Log unique POST
queries into file (filter/post.xls)
2007-03-04 13:41:22,003 INFO FilterFactory - loaded filter Log request and
response in