[tcpdump-announce] initial comments on trojan attack (fwd)

From: Jonas Eriksson (jeat_private)
Date: Sat Nov 16 2002 - 02:32:22 PST

Next message: Ketil Braun Larsen: "MailEnable POP3 Server remote shutdown !:/ -newest ~ (and previous) bufferoverflow-"

Previous message: securityat_private: "[Full-Disclosure] Security Update: [CSSA-2002-049.0] Linux: lynx CRLF injection vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

---------- Forwarded message ----------
Date: Fri, 15 Nov 2002 19:40:47 -0500
From: Michael Richardson <mcrat_private>
Reply-To: tcpdump-workersat_private
To: tcpdump-announceat_private
Subject: [tcpdump-announce] initial comments on trojan attack

-----BEGIN PGP SIGNED MESSAGE-----

1) the machine hosting cvs.tcpdump.org was likely compromised
   between Nov. 7th and Nov. 10th at 18:24pm.

   The method was likely through an unpatched openssh daemon.
   (The rest of my servers run SSH.com)
   I have not yet confirmed this for sure.

2) an additional public key was added to the .ssh/authorized_keys
   file for my account. This account was used to install the trojan
   files at 10:14am, Monday Nov. 11.

3) The machine was taken offline around 11am Wednesday Nov. 13th.
   The machine is also my mail relay, and stealth DNS primary for
   unsigned (non-DNSSEC) zones.
   As such, the machine has been left on, with no default route,
   but able to exchange DNS and SMTP with others.

4) I have examined the mirrors and confirmed that many mirror operators
   did not take the code offline. Therefore, I've restored the proper
   files, and restored connectivity to the mirror sites.

   The restored files are from my laptop.
   The md5sum of the files on my laptop match those provided by CERT,
   and the files on sourceforge.net.

   I have additional signed the files with my key. We will generate
   a key for really doing this.

   I have not restored 3.6.2, as I haven't yet tracked a perfect copy
   of this, but will soon.

5) I will edit the web site soon to provide this information.

6) I think that we should release a 3.7.1b or .2 or something, no
   code change, just to flush things out.

7) the machine will get flushed (i.e. reformatted) when I return from
   Atlanta/IETF. I expect to limp along until then in this configuration.
   This means that there will be no anon-cvs, and no SSH access.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcrat_private http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPdWUDYqHRg3pndX9AQEfOwP5AeHn5F0+mML8l1mlKTSGPbRDE+0Q6t3N
lnUn9+nnmchT/ULyI4ayMGpVkjWfg/DUN/ShuLqjn72jFKLgxqt5DVo6Zy1ASoeu
o6GXrQEPuG6diBW1s6AMnRyAKUxNB+Dr9Wqun+OzXhO+VNgRx6j4M39ckdltzG17
QeG26TVMq70=
=wGS3
-----END PGP SIGNATURE-----
-
This is the TCPDUMP announcement list. It is archived at
http://www.tcpdump.org/lists/announce/maillist.html
To unsubscribe use mailto:tcpdump-announce-requestat_private?body=unsubscribe

Next message: Ketil Braun Larsen: "MailEnable POP3 Server remote shutdown !:/ -newest ~ (and previous) bufferoverflow-"
Previous message: securityat_private: "[Full-Disclosure] Security Update: [CSSA-2002-049.0] Linux: lynx CRLF injection vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Nov 18 2002 - 21:02:14 PST