debs (et al.), apparently, there's trojan code in tcpdump & libpcap.
woody is okay, right? but those apps in sarge/sid could be effected? (i'm just the curious messenger.) b. att. //
INFORMATION ALERT AN EMERGING ISSUE WITH: TROJAN CODE PLANTED IN TCPDUMP AND LIBPCAP SEVERITY: Medium DATE: November 14, 2002 --------------------------------------------------------------- For an easier-to-read HTML version of this article, go to: https://www3.watchguard.com/archive/showhtml.asp?pack=135225 --------------------------------------------------------------- SUMMARY: On November 13, members of the Houston Linux User Group (HLUG) reported that some copies of the popular Linux packet sniffing program, tcpdump, as well as a popular Linux packet sniffing library, libpcap, contain Trojan horses. If you recently downloaded and compiled either tcpdump or libpcap from the altered source code, a hacker could gain complete control of your system and simultaneously render his activity invisible. There is no direct impact on WatchGuard products. Administrators who have recently installed tcpdump or libpcap should reboot their machines and verify the integrity of these applications. EXPOSURE: Tcpdump is a very popular Linux packet sniffer application <http://www.webopedia.com/TERM/s/sniffer.html> used to monitor network traffic. Libpcap is a popular library of functions <https://www3.watchguard.com/archive/images/lsglossary.htm#function> used by many network applications that need to "sniff" network traffic such as tcpdump, Snort and Ethereal. If you capture network traffic on a Linux machine you probably use either tcpdump or the libpcap library. According to members of the Houston Linux User Group (HLUG) <http://www.hlug.org/>, the source code for tcpdump and libpcap on the official tcpdump site <http://tcpdump.org> has been infected with a Trojan. The infected software has also made its way to many official mirror sites. According to an advisory released by CERT <http://www.cert.org/advisories/CA-2002-30.html>. it appears the infected packages were uploaded to the tcpdump site sometimes on or around November 11. When you compile the infected tcpdump and libpcap packages, the Trojan makes an outgoing connection to a fixed remote IP address using TCP port 1963. If the connection is successfully established, the attacker can gain remote shell <http://www.webopedia.com/TERM/s/shell.html> access to your server. The remote shell has the same privileges as the user who compiled the application. Therefore, if you compiled one of the infected packages using root privileges, the attacker gains full control of your server. Since the Trojan makes an outgoing connection, it will pass through any firewall that is not egress filtering <http://rr.sans.org/firewall/egress.php>. In an interesting twist, the Trojan also alters the packet sniffer libraries in a way that any packets from the hacker's IP are ignored. In short, the hacker can hide himself from your network monitors. If this attack sounds familiar, it is. The attack is identical to the Trojans recently found in both OpenSSH and Sendmail. In fact, the design of the Trojan suggests that all three cases are the work of the same hacker. For more information on those past cases see our Information Alerts on August 1 <https://www3.watchguard.com/archive/showhtml.asp?pack=135156> and October 9 <https://www3.watchguard.com/archive/showhtml.asp?pack=135200>. SOLUTION PATH: If you have recently installed the tcpdump or libpcap packages, it may already be too late to protect your server. Details on this Trojan are still emerging. However, the previous Sendmail and OpenSSH Trojans only ran only once during the applications build process. Rebooting your machine removed the malicious service from the machine's memory in the past. We recommend you at least reboot your machine in case those previous details hold true with this new Trojan. After rebooting your machine, run "netstat" to see whether or not your machine is connected on port 1963. If you do not find any connections on port 1963 then that hacker's backdoor is not in affect. We also recommend you un-install tcpdump and libpcap and delete the infected packages. CERT provides a great step-by-step document <http://www.cert.org/tech_tips/win-UNIX-system_compromise.html> on recovering from a system compromise that you should follow if you have installed the infected tcpdump and libpcap packages. This is a good example of why it is important to use signature files when downloading software. Signature files provide a means of verifying the authenticity of the file you are downloading. Although it appears that the infected packages were first introduced around November 11, if you downloaded tcpdump or libpcap in the past few weeks, we recommend you use the signatures in CERT's advisory <http://www.cert.org/advisories/CA-2002-30.html> to verify your packages. For more information on validating downloads with an MD5 checksum signature, see this CERT page: <http://www.cert.org/security-improvement/implementations/i002.01.html>. -- For WatchGuard Firebox and SOHO Users: Since the WatchGuard SOHO and Firebox allow all outgoing connections by default, the solutions above are your primary recourse. However, you can use the Firebox or SOHO to block outgoing access that uses TCP port 1963 and prevent attackers from exploiting this port in the future. --For ServerLock and AppLock/Web Users: These vulnerabilities primarily affect Linux systems. However, it is possible to compile these applications on a Solaris system as well. ServerLock for Solaris was specifically designed to protect against the damage caused by unauthorized users who might gain root privileges via a vulnerability of this nature. While ServerLock does not prevent this Trojan, it does protect core Solaris system files from corruption or modification, regardless of user privileges. STATUS: There is no official word from Tcpdump.org yet. DIRECT IMPACT ON WATCHGUARD PRODUCTS: None. IMPACT ON NETWORKS PROTECTED BY WATCHGUARD PRODUCTS: If you have recently downloaded tcpdump or libpcap from tcpdump.org or one of its mirrors, you are susceptible to an attacker gaining total control of your machine. REFERENCES: Net-Security's story on this Trojan <http://www.net-security.org/news.php?id=1436> Information from Huston Linux Users Group on this Trojan <http://151.164.128.17/def-con/> CERT's advisory <http://www.cert.org/advisories/CA-2002-30.html> TISC editorial, "The Importance of Egress Filtering" <https://www3.watchguard.com/archive/showhtml.asp?pack=135208> This alert was researched and written by Corey Nachreiner. ======================================================= FEEDBACK: This e-mail was sent from an unattended mailbox, so please do not reply to it. Send comments to [EMAIL PROTECTED] <mailto:lsseditor@;watchguard.com> For other helpful articles, log into the LiveSecurity Archive <https://www3.watchguard.com/archive/broadcasts.asp>. ------------------------------------------------------- UNSUBSCRIBE: You received this e-mail because you subscribed to the WatchGuard LiveSecurity Service, which advises about virus alerts, security best practices, new hacking exploits, and more. To stop receiving future e-mails, or to change which e-mail address receives this content, please log in at https://www3.watchguard.com/archive/preferences.asp. For technical support, visit https://support.watchguard.com/incidents/NewIncident.asp or call 1-877-232-3531. ------------------------------------------------------ Copyright 2002 WatchGuard Technologies, Incorporated. All Rights Reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other trademarks are the property of their respective owners. You may not modify, reproduce, republish, post, transmit or distribute this content except as expressly permitted in writing by WatchGuard Technologies, Inc. ======================================================
