Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.

Trojan Found in libpcap and tcpdump

[es] :: Linux :: Trojan Found in libpcap and tcpdump

[ Pregleda: 3342 | Odgovora: 0 ] > FB > Twit

Postavi temu Odgovori

Autor

Pretraga teme: Traži
Markiranje Štampanje RSS

stinger
Luka Gerzic
DELTA M, IT Department
DELTA M HQ

Član broj: 126
Poruke: 1099
*.drenik.net

ICQ: 57419599
Sajt: www.gerzic.net


Profil

icon Trojan Found in libpcap and tcpdump13.11.2002. u 16:55 - pre 260 meseci
Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org. See our reports here





Latest libpcap & tcpdump sources from tcpdump.org contain a trojan.
Background:

Libpcap provides a packet sniffing library for programs like Snort.
Tcpdump is a standard tool for packet sniffing.
Details:


The trojan contains modifications to the configure script and gencode.c (in libpcap only).

The configure script downloads http://mars.raketti.net/~mash/services which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it.

The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:
A - program exits
D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34.
M - closes connection, sleeps 3600 seconds, and then reconnects
Hmm... ADM...


It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections.

Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic.

This is similar to the OpenSSH trojan a few months ago.

Updates:
Many Mirrors are infected with the trojan!!!
Main Mirror Site (wiretapped.net) will no longer be providing tcpdump downloads until things are straightened out.
 
Odgovor na temu

[es] :: Linux :: Trojan Found in libpcap and tcpdump

[ Pregleda: 3342 | Odgovora: 0 ] > FB > Twit

Postavi temu Odgovori

Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.