---------- Forwarded message ---------- Date: Fri, 15 Nov 2002 19:40:47 -0500 From: Michael Richardson <mcr@sandelman.ottawa.on.ca> Reply-To: tcpdump-workers@sandelman.ottawa.on.ca To: tcpdump-announce@tcpdump.org Subject: [tcpdump-announce] initial comments on trojan attack -----BEGIN PGP SIGNED MESSAGE----- 1) the machine hosting cvs.tcpdump.org was likely compromised between Nov. 7th and Nov. 10th at 18:24pm. The method was likely through an unpatched openssh daemon. (The rest of my servers run SSH.com) I have not yet confirmed this for sure. 2) an additional public key was added to the .ssh/authorized_keys file for my account. This account was used to install the trojan files at 10:14am, Monday Nov. 11. 3) The machine was taken offline around 11am Wednesday Nov. 13th. The machine is also my mail relay, and stealth DNS primary for unsigned (non-DNSSEC) zones. As such, the machine has been left on, with no default route, but able to exchange DNS and SMTP with others. 4) I have examined the mirrors and confirmed that many mirror operators did not take the code offline. Therefore, I've restored the proper files, and restored connectivity to the mirror sites. The restored files are from my laptop. The md5sum of the files on my laptop match those provided by CERT, and the files on sourceforge.net. I have additional signed the files with my key. We will generate a key for really doing this. I have not restored 3.6.2, as I haven't yet tracked a perfect copy of this, but will soon. 5) I will edit the web site soon to provide this information. 6) I think that we should release a 3.7.1b or .2 or something, no code change, just to flush things out. 7) the machine will get flushed (i.e. reformatted) when I return from Atlanta/IETF. I expect to limp along until then in this configuration. This means that there will be no anon-cvs, and no SSH access. ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: Finger me for keys iQCVAwUBPdWUDYqHRg3pndX9AQEfOwP5AeHn5F0+mML8l1mlKTSGPbRDE+0Q6t3N lnUn9+nnmchT/ULyI4ayMGpVkjWfg/DUN/ShuLqjn72jFKLgxqt5DVo6Zy1ASoeu o6GXrQEPuG6diBW1s6AMnRyAKUxNB+Dr9Wqun+OzXhO+VNgRx6j4M39ckdltzG17 QeG26TVMq70= =wGS3 -----END PGP SIGNATURE----- - This is the TCPDUMP announcement list. It is archived at http://www.tcpdump.org/lists/announce/maillist.html To unsubscribe use mailto:tcpdump-announce-request@tcpdump.org?body=unsubscribe
