OpenSSH Trojan

Bryan Breen Bryan.C.Breen.1 at
Thu Aug 1 19:48:07 PDT 2002

There's something to be said for waiting to see the bugs hammered out of a
program before using it, however...

This OpenSSH Trojan is a different case than there being a bug in the
source code. What happened here was a specific mirror site (a rather
heavily used one) was tainted when their tar-ball of the source code was
changed (when the Trojan was inserted).

There's nothing wrong with the 3.4p1 code, as long as you have an
uninfected source tree/tar-ball.

I keep all my source files (in their original tar'd and gzip/bzip2 format)
just for ease of rebuilding (I'm too damn impatient to wait for a download
even over my cable connection!). I checked my OpenSSH-3.4p1.tar.gz md5sum
and it verified that the copy that I had from June 26th was clean.

So in *this* case, it was actually better that I had gotten the code early
on, instead of waiting.

Perhaps the real lesson is to double check those md5sum or validate them
against a signing key. And in particular, use values that are not coming
from the same server that you are obtaining the source from (and hopefully
not a server that is just an identical mirror).

- B

At 00:32 8/2/02 +0200, you wrote:
>Hash: SHA1
>> I think the REAL lesson to be learned here is that you should always
>> wait a good week or two before installing updates. That way somebody
>> else finds the problems, and you don't have to worry about them.
>> Mwuahahahhahahah! ;)
>Remember, when openssh-3.4p1 was released? I think it is *some more* than
a week ago. ;-)
>- -- 
>- ----------------------------------------------------------------------
>%> ln -s /dev/null /dev/brain
>%> ln -s /dev/urandom /dev/world
>%> dd if=/dev/world of=/dev/brain
>Version: GnuPG v1.0.7 (GNU/Linux)
>Unsubscribe: send email to listar at
>and put 'unsubscribe lfs-security' in the subject header of the message
Unsubscribe: send email to listar at
and put 'unsubscribe lfs-security' in the subject header of the message

More information about the lfs-security mailing list