Salut ŕ tous,
Vérifiez vos compils B-(
Dany Vanderroost
-o)
/\\
_\_v
-----Original Message-----
From: Domonkos Czinke [mailto:[EMAIL PROTECTED]]
Sent: lundi 18 novembre 2002 8:23
To: VANDERROOST Dany (ADMIN)
Subject: Trojan Found in libpcap and tcpdump
FYI
Members of The Houston Linux Users Group discovered that the newest sources
of libpcap and tcpdump available from tcpdump.org were contaminated with
trojan code. HLUG has notified the maintainers of tcpdump.org.
Details:
The trojan contains modifications to the configure script and gencode.c (in
libpcap only).
The configure script downloads http://mars.raketti.net/~mash/services which
is then sourced with the shell. It contains an embedded shell script that
creates a C file, and compiles it.
The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and
reads one of three one byte status codes:
A - program exits
D - forks and spawns a shell and does the needed file descriptor
manipulation to redirect it to the existing connection to 212.146.0.34.
M - closes connection, sleeps 3600 seconds, and then reconnects
It's important to note that it reuses the same outgoing connection for the
shell. This gets around firewalls that block incoming connections.
Gencode.c is modified to force libpcap to ignore packets to/from the
backdoor program, hiding the backdoor program's traffic.
This is similar to the OpenSSH trojan a few months ago.
URL: http://www.net-security.org/news.php?id=1436
Best Regards,
Domonkos Czinke
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
_______________________________________________________
Linux Mailing List - http://www.unixtech.be
Subscribe/Unsubscribe: http://www.unixtech.be/mailman/listinfo/linux
Archives: http://www.mail-archive.com/linux@lists.unixtech.be
IRC: efnet.unixtech.be:6667 - #unixtech
