Slashdot is powered by your submissions, so send in your scoop


Forgot your password?

Trojan Added to TCP Wrappers Source on FTP 50

P.J. Hinton wrote in to send us a link to a CERT advisory explaining that the sources to TCP wrappers were actually replaced with a nice new and improved version. Complete with a trojan. It was caught fairly quickly after it was uploaded, but it's still kinda scary. Update: 01/22 01:07 by CT : Several people sent the Bugtraq post over at Linux Today. A lot more details clarifying the situation.
This discussion has been archived. No new comments can be posted.

Trojan Added to TCP Wrappers Source on FTP

Comments Filter:
  • by Anonymous Coward

    I haven't confirmed this, but it seems like Rob has put some code in to keep the first few posts from showing up in the order of submitting. I've posted several articles to stories that said something like 1 or 2 comments on the main page and still somehow got the first post. After a while, the other posts would show up (and no, they didn't have lower scores).

    Jason Eric Pierce
  • Mettler's attack is a modification of your system by a trusted user, via source. It's slightly different from the TCP-Wrapers crack in that you presumably don't have extensive peer review over your own system.

    Researching a different topic I came across an interesting CERT advisory [] regarding loadable kernel modules. One common response to Mettler was that any kernel hack would require recompiling the kernel, and restarting the system. With loadable modules, system restart isn't necessary -- the kernel can be modified in place, as it runs.

    In all three instances, confirming source, object, or image against a trusted verion would help in detection. Kernel compromise is a frightening prospect as it undermines the trustworthyness of the entire system. Booting a fresh kernel, however, removes the damage (you then have to keep the rogue modules out).

  • Well, FreeBSDers check the MD5 every time they use the ports system to install something. What's even better is that since the FreeBSDers all have their own copy of the MD5, simply changing it on the site won't help.
  • I think people found out quite fast, but how the hell did it get there in the first place? :)

    Bram at grmbl dot com
  • An 3l33t hax0r with an IQ about 100 higher than that of the average 3l33t hax0r, of course. Most 3l33t hax0rs I've seen around couldn't write a Hello World program, much less backdoor a tcp wrapper.
  • I wasn't talking about intelligent people who crack systems recreationally. I was talking about "3l33t hax0rs," which yes, would imply people who "tYpE L1k3 this." VERY few of them know the first thing about programming.
  • First, the change was easy enough to detect - the distribution is signed by Venema's PGP key. If a person downloading the source bothered to check the signature it would have been immediately obvious that something was screwy.

    Second, it *was* detected and corrected very rapidly.

    All in all, a success story.

    - Ken
  • The idea that someone could embed a trojan, backdoor, or otherwise manevolent code into some publicly available app has been around for quite a long time now. Of course, when someone brings that idea up around a group of OSS advocates, the immediate response is "They'll be found out almost instantly."

    As far as I'm aware, this is the first incident where some deliberate foul play was detected and handled. Guess those wacky OSS advocates were right. =)

    -- (remove the SPAM-B-GONE bit)

  • Am I the only person surprised to see that CERT actually got an advisory out on the same day?

    Now that I find disturbing :-)


  • The first tripwire in this sort of attack is, as you suggest, signing of packages and sources you upload. As long as a cyptographically-strong signature (such as PGP) is used, this is usually enough to assure you that the sources haven't been modified. This will not protect against Trojans inserted by the legitimate authors, though, which is why a second tripwire is needed: source review. I'm not a network security expert, and I'm not really capable of reviewing packages: so I trust the PGP signature (at least for my home computer). But I also know that many sysadmins who run sensitive systems are properly paranoid and will not only check the PGP signature but ALSO scrutinize the source themselves. It's one of those paranoid sysadmins who caught the TCP-Wrapper Trojan, and it's one of those paranoid sysadmins who will catch the next Trojan inserted into Open-Source software.

    So the only Open-Source Trojan that will really succeed is one put in place by a conspiracy of EVERY single sysadmin worldwide... I'm not worried.

    This message has been brought to you by the Sysadmin Conspiracy: There Is No Sysadmin Conspiracy (tinsc).
  • ...if it was a setup to show the OSS strength? IT seems too easy.

    To whom is the email sent?
    Who first discovered the trojans?
    Was it someonet that downloaded the code?
    Was it one of the sysadmins scanning the logs?

    Answers to some of these questions will tell.

  • I repeat--the TCP Wrappers source attack isn't scary at all.

    The hack went in on the 21st. It's now the 22nd, barely.

    This is scary? It took one day to detect and handle a security problem? Closed source products can have security issues for years and years before their existence becomes public knowledge. Took them a day.

    Indeed, it is only when attacks become "open source" in a sense that they're cured.

    Once you pull the pin, Mr. Grenade is no longer your friend.
  • Who (or address) was the knucklhead where this came from? I'm thankful for MD5's. May the infinite pings of a thousand sysadmins infest his dialup connection.
  • when some jackass makes himself look like a fool with a false-first posting :)
  • few months ago some guy warned about such a posibility

    but i agree with Effugas: it's not that bad to have such a thing in open source software than in some closed source one; first one (open) can be handled for example by viewing source or choosing carefuly download site; but protect ourselves agains bugs/viruses/trojans distributed in closed source software is far more harder

  • yes ... you do not explain why but i agree

    if we have fine crypto system with keys exchange then every piece of software could be signed by author/packager/producer/... and we should be able to authenticate the person and then trust him or download software from someone else

    our slogan should be: sign what you produce
    (i will ... soon :)

  • I fully agree with you
  • >This is just the reason why we need solid and unrestricted encryption software...

    There was MD5 sum for this package and there was detached PGP signature.

    But how often you care to check signatures when you are downloading a package. And it seems that anything at all can contain trojans.

    Read a nice article [] by Ken Thompson about trojan in C compilier. Have you checked MD5 sum when you downloaded GCC binary last time? And as Thompson shows, recompiling GCC from sources with untrusted compilier doesn't help you.

  • That's a fallacious argument, since you can't prove that we have found all backdoors in OSS. The hypothesis is a self-fulfilling one...
  • Dum Da-da Da Dumm!
  • Mr. Grenade doesn't become your friend until after you pull the pin.

  • I'm finding over time its prudent to let others raid Freshmeat for me and discover security flaws or even bugs before I bother downloading.
  • Why what you say might very well be true, it doesn't say anything about the previous person's statement. Most of the general population are also not skilled programmers.

    He (I assume) was saying that cracking does not strongly correlate to programming skills, not that it correlates more or less than some other activity.

    Most of the crackers I've talked to are what the BBS world used to call ruggies, or rugrats. About 1-5% of them may, someday, grow up to be skilled programmers. Most people with the knowledge to develop new cracking techniques are also grown up enough not to use it.

  • "Lets first someone test it for quite a while to save YOUR ass from trojans."

    This trojan horse was not inserted by the authors of the package. Instead, it was inserted by someone that broke into the ftp site. This would be the same as breaking into MS web site and uploading a patch infected with a trojan horse. Waiting x amount of time has nothing to do with this.

    "1. PGP key can be successfully forged."

    ??? PLEASE...who are you kidding. Do you know anything about cryptography. Forging a PGP sig is so unlikely that it would be more feasable for the offenter to physicaly force you to hand over your private key.


    Go away troll - Linux/Unix does not use drive letters.

    "How many of you review low level assembler routies present in Linux?"

    _WHY_ would I do this?? Obviously you are from the MS world of closed source where you do not have access to the source code.

  • Sure, it's cool that the problem was identified and snuffed in a day or so.

    How the hell did it happen to begin with? CERT is always so coy about *that*.

    Dropping this into tcpd is like tugging on Superman's cape. Someone is gonna get serious props from the kiddieZ for this one.

  • It probably just put the idea in someone head...
    Either that, or it's a conspiracy :)

Good day to avoid cops. Crawl to work.