Carsten Gehrke carsten at
Mon Nov 25 09:36:09 PST 2002

At 06:43 25-11-02, you wrote:
>On Mon, 25 Nov 2002 14:34:19 -0000
>"Matthew Burgess" <ca9mbu at> wrote:
> >
> > Either of these any good for you Ian?  Hint
> > 
> > sa=N :)
>Im just a little worried about the recent tcpdump? trojan...

As you should be.  I narrowly escaped getting that trojan because I did not 
trust the MD5 fingerprint that was available from the 
site.  Check with CERT for the details, but here is a relevant excerpt from 
their advisory which I received a few hours after I downloaded tcpdump from 
the main site:

    Where to get libpcap and tcpdump

    While the compromise of these distributions is being investigated, the
    tcpdump   and   libpcap  maintainers  recommend  using  the  following
    distribution sites:


    Sites  that  mirror  the  source  code  are  encouraged  to verify the
    integrity of their sources. We also encourage users to inspect any and
    all  other software that may have been downloaded from the compromised
    site.  Note  that  it  is  not sufficient to rely on the timestamps or
    sizes  of  the file when trying to determine whether or not you have a
    copy of the Trojan horse version.

    Verifying checksums

    The MD5 hashes of the vendor suggested updates for libpcap and tcpdump
    are as follows:


        md5sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz


        md5sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz

Remember, this is not the full message, but I think it includes what you 
need.  Of course, why would you trust some guy on a mailing list...

Carsten Gehrke     LFS No.: 190    using Linux since kernel 0.98
carsten at

Unsubscribe: send email to listar at
and put 'unsubscribe blfs-support' in the subject header of the message

More information about the blfs-support mailing list