Hello, my first post to the list. Cool.. :) Sorry for the horrible formatting: this was posted in haste using Netscape's Mail client :( Anyways, we did some research here at Oulu regarding the propagation of the trojaned OpenSSH-3.4p1.tar.gz, and found out the following: Trojaned mirrors: 3ac9bc346d736b4a51d676faa2a08a57 MD5 (./ftp.club-internet.fr/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.easynet.be/openssh/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.freenet.de/pub/ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.fsn.hu/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.inet.no/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.isu.net.sa/pub/mirrors/ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5 (./ftp.jaquet.dk/pub/openSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.openbsd.cz/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.openbsd.org.br/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.openbsd.ru/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.sajinet.com.pe/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.stealth.net/pub/mirrors/ftp.openssh.com/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.tku.edu.tw/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.uninett.no/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp.volftp.mondadori.com/mirror/openbsd/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./ftp7.usa.openbsd.org/pub/os/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./hal.csd.auth.gr/mirrors/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./openbsd.csie.nctu.edu.tw/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./openbsd.nsysu.edu.tw/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= 3ac9bc346d736b4a51d676faa2a08a57 MD5(./openbsd.rug.ac.be/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz)= The list was taken from http://www.openssh.com/portable.html, it does NOT contain all the mirrors out there, just the primary ones, I guess.. The list was taken around 1700 hours EEST. Also, it should be apparent that NOTHING from ftp.openbsd.org should be trusted until their sysadmins have done full damage assesment. Also, some people have debated on the severity of opening a shell to some remote location. Please note, that any commands may be ran over such connection, perhaps patching the OpenSSH source code a bit further, or dropping a platform-specific rootkit to the victim's system: the author had gone to great lengths to make the code as portable as possible. My e-mail address is obfuscated to repel spammers, however, if you wish to contact me or any other members of our group, you'll find our contact detail from our web pages. Regards, Tomi --------------Tomi Nylund, Research Scientist, OUSPG---------------- Group info & contact details at http://www.ee.oulu.fi/research/ouspg PGP key: http://www.ee.oulu.fi/research/ouspg/ouspg-key.asc Key fingerprint = B2 F7 97 09 F5 4C 29 97 9A A8 2D FB 59 CA 10 C4 -------------Oulu University Secure Programming Group---------------
