Yeah that's why it's getting increasingly important to digitally sign files before releasing them, so that way you can tell if someone screwed witht he file. Explorer has caused a general protection fault in module kernel32.dll. I'm sick of Winblows! ----- Original Message ----- From: "Scott Howell" <showell@xxxxxxxxx> To: <speakup at braille.uwo.ca> Sent: Wednesday, November 13, 2002 7:07 PM Subject: [pehrens at ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap trojan] > Folks, I am subscribed to the list about Nmap. This info might e very > interesting to folks. I have not had a chance to verify all the info nor > have I seen anything from Bug Track, but that could be more a problem > with not geting mail from my ISP. In any case, if anyone does know more, > please share. > > tnx > > > ----- Forwarded message from Philip Ehrens <pehrens at ligo.caltech.edu> ----- > > Mailing-List: contact nmap-hackers-help at insecure.org; run by ezmlm > From: Philip Ehrens <pehrens at ligo.caltech.edu> > To: Fyodor <fyodor at insecure.org> > Cc: nmap-hackers at insecure.org > Subject: Re: Nmap *NOT* affected by libpcap trojan > Mail-Followup-To: Philip Ehrens <pehrens at lrxms.net>, > Fyodor <fyodor at insecure.org>, nmap-hackers at insecure.org > > I would like to point out that the type of trojan described below > is becoming increasingly common. ftp.sendmail.org was compromised > recently and a similar trojan was placed in the sendmail source > tarball. > > I know of at least 12 common packages that have had their source > tarballs compromised within the last 3 months on servers that were > considered secure. The folks doign this have gone as far as to > hijack DNS and root machines on specific subnets in order to place > this type of trojan. > > These trojans are activated during te build process of the source > tarball in most cases, usually the configure script contains some > variation of code that establishes a connection to a remote machine. > > I believe that the folks doing this are actually trying to catch > certain specific machines or subnets, and are not doing this to > set up DDOS or just to own large numbers of boxes. When I activated > one of these trojans while building a package all that happened was > that my /etc/passwd file was shipped off. The machine listening on > the other end never did anything except stay connected for a while. > > I expect to see more and more of this at an accellerating rate > from now on... if you are letting root make remote connections > you are asking for trouble! > > Sorry for using your list for this Fyodor, I won't do it again. > > Phil > > Fyodor wrote: > > I just wanted to send out a quick note that the version of libpcap > > shipped with Nmap does NOT contain the trojan described at: > > > > http://hlug.fscker.com/ > > http://slashdot.org/article.pl?sid=02/11/13/1255243&mode=nested&tid=172&thre shold=3 > > > > Cheers, > > -F > > -------------------------------------------------- > For help using this (nmap-hackers) mailing list, send a blank email to > nmap-hackers-help at insecure.org . List run by ezmlm-idx (www.ezmlm.org). > > ----- End forwarded message ----- > > _______________________________________________ > Speakup mailing list > Speakup at braille.uwo.ca > http://speech.braille.uwo.ca/mailman/listinfo/speakup >
