[ale] tcpdump / libpcap trojaned...

Michael H. Warfield mhw at wittsend.com
Wed Nov 13 10:55:26 EST 2002


All,

	This is a shot in the dark for some more information.

	In case you haven't seen slashdot this morning, it was discovered
yesterday that the tcpdump and libpcap files from www.tcpdump.org were
compromised and a trojan inserted.  I've been able to establish that the
sources were unmodified on October 30 and we know that they were (and
still are) compromised on November 12.  That's a two week time frame.
If anyone else has downloaded those sources between those two dates,
please contact me and let me know.

	Here are the md5sums of the good and the bad...

3c410d8434e63fb3931fe77328e4dd88  tcpdump-3.7.1.bad.tar.gz
03e5eac68c65b7e6ce8da03b0b0b225e  tcpdump-3.7.1.tar.gz
73ba7af963aff7c9e23fa1308a793dca  libpcap-0.7.1.bad.tar.gz
0597c23e3496a5c108097b2a0f1bd0c7  libpcap-0.7.1.tar.gz

	If you have the bad package, the site hosting the trojan
contact / download page has removed the download page and the
trojan has been defanged.  Still...  You don't want to build that
package...  :-)  The trojan is targeted at developers, packagers,
and distributers and is very similar in technique to the Sendmail
and OpenSSH attacks from a few months ago.

	TIA!

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

 PGP signature




More information about the Ale mailing list