tech-security: Heads up: suspicious source distribution of OpenSSH 3.4p1 found (xs4)

Subject: Heads up: suspicious source distribution of OpenSSH 3.4p1 found (xs4)
To: NetBSD tech-security list <tech-security@netbsd.org>
From: Rogier Krieger <rogier@virgiel.nl>
List: tech-security
Date: 08/01/2002 15:23:40

Hello there everyone,

perhaps this is already known to you (in which case I apologise for
the double-post; however upon checking the archives, I did not find
this subject however)

I just got this in through the Dutch Educational CERT (CERT-NL).
They have not yet posted on their website (as far as I can tell), but
presumably they will soon. Their website is: [ http://www.cert-nl.nl/ ].

I suspect in building the tree sources and pkg sources all MD5
sums are checked, showing something out of the ordinary. Still,
sending this notice can't really hurt, given the importance of OpenSSH

I hope this is of use. You'll find the original message below.

Sincerely,

Rogier Krieger



Date: Thu, 01 Aug 2002 13:25:29 +0200 (MET DST)
From: CERT-NL Xander <cert-nl@surfnet.nl>
Subject: Heads up: suspicious source distribution of OpenSSH 3.4p1 found
Organisation: SURFnet bv
Address: "Radboudburcht, P.O. Box 19035, 3501 DA Utrecht, NL"
Phone: +31 302 305 305
Telefax: +31 302 305 329

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Courtesy of the FIRST community and various other sources CERT-NL received
information about a most probably trojaned source distribution of OpenSSH
version 3.4p1. It appears that the file

  ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz

and possibly other files on mirror sites contain a suspicious extra piece of
code that connects to an external site when activated.

The suspicious distribution file has a different MD5 checksum and also the
GPG/PGP signature doesn't verify with the corresponding signaturefile.

CERT-NL strongly advises everbody who downloaded and/or installed the
OpenSSH 3.4p1 package recently to verify the checksum/PGP-signature of the
downloaded/installed source file.

This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD ports
system:
  MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8

This is the md5 checksum of the Trojaned openssh-3.4p1.tar.gz:
  MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57


-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBPUkZuzboZFam1X7OEQKjOQCeIa2el2IXw6pUme3zoboPGZ1dXgcAoKI5
vt6pySqt312S375sVsF61wq4
=K9dX
-----END PGP SIGNATURE-----