OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on theOpenBSD ftp server and potentially propagated via the normal mirroringprocess to other ftp servers.
OpenSSH Security Advisory (adv.trojan)
1. Systems affected:
OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on theOpenBSD ftp server and potentially propagated via the normal mirroringprocess to other ftp servers. The code was inserted some time betweenthe 30th and 31th of July. We replaced the trojaned files with theiroriginals at 7AM MDT, August 1st.
2. Impact:
Anyone who has installed OpenSSH from the OpenBSD ftp server or anymirror within that time frame should consider his system compromised.The trojan allows the attacker to gain control of the system as theuser compiling the binary. Arbitrary commands can be executed.
3. Solution:
Verify that you did not build a trojaned version of the sources. Theportable SSH tar balls contain PGP signatures that should be verifiedbefore installation. You can also use the following MD5 checksums forverification.
MD5 (openssh-3.4p1.tar.gz) =3D 459c1d0262e939d6432f193c7a4ba8a8
MD5 (openssh-3.4p1.tar.gz.sig) =3D d5a956263287e7fd261528bb1962f24c
MD5 (openssh-3.4.tgz) =3D 39659226ff5b0d16d0290b21f67c46f2
MD5 (openssh-3.2.2p1.tar.gz) =3D 9d3e1e31e8d6cdbfa3036cb183aa4a0
1MD5 (openssh-3.2.2p1.tar.gz.sig) =3D be4f9ed8da1735efd770dc8fa2bb808a
4. Details
When building the OpenSSH binaries, the trojan resides in bf-test.cand causes code to execute which connects to a specified IP address.The destination port is normally used by the IRC protocol. Aconnection attempt is made once an hour. If the connection issuccessful, arbitrary commands may be executed.
Three commands are understood by the backdoor:
Command A: Kill the exploit.
Command D: Execute a command.
Command M: Go to sleep.
5. Notice:
Because of the urgency of this issue, the advisory may not becomplete. Updates will be posted to the OpenSSH web pages ifnecessary.