On Fri, May 31, 2002 at 09:55:21AM +0200, Anders Nordby wrote: > Although downloading it now seems safe, I think folks should know > this. The changes done were similar to what happened to irssi, but > with a different IP. monkey.org was compromised on May 14th, via an epic4-pre2.511 client-side hole which produced a shell to one of the local admin's accounts. this was later used to reattach to one of his screen sessions, which apparently had a root window open (su very bad!). the dsniff-2.3, fragroute-1.2, and fragrouter-1.6 tarballs were all modified at 3 AM on May 17th to include the same configure backdoor as described in the irssi advisory. no other public web content was modified, and the system was restored a week later, from scratch. the correct checksums are: MD5 (dsniff-2.3.tar.gz) = 183e336a45e38013f3af840bddec44b4 MD5 (fragroute-1.2.tar.gz) = 7e4de763fae35a50e871bdcd1ac8e23a MD5 (fragrouter-1.6.tar.gz) = 73fdc73f8da0b41b995420ded00533cc of the 1951 hosts that successfully downloaded one of the backdoored tarballs, 992 of them were Windows machines and 193 were automated ports downloads for the *BSD dsniff or fragrouter ports, leaving 746 Linux (and a few Solaris and MacOS) hosts potentially vulnerable, and 20 FreeBSD and OpenBSD hosts. we have since migrated our system to OpenBSD-current, importing Niels Provos' excellent systrace subsystem: http://www.citi.umich.edu/u/provos/systrace which allows us to run all user sessions under a restricted syscall policy (e.g. so an IRC client cannot exec(), open() anything outside ~/.irc, etc.), similar in spirit to Goldberg and Wagner's Janus sandbox, or Cowen's SubDomain. in the future, our software distributions may carry embedded signatures via gzsig: http://www.monkey.org/~dugsong/gzsig-0.1.tar.gz but for the time being, please be careful what you download, and carefully audit or sandbox any third-party scripts or software you run... -d. --- http://www.monkey.org/~dugsong/
