Berislav Kucan
Berislav Kucan, Director, Help Net Security

Backdoored dsniff, fragroute and fragrouter

In a recent hack of irssi server, attacker modified the configure script which gave him shell access to any system that installed the backdoored irssi program. The same thing happened to Dug Song’s Monkey.org – dsniff-2.3, fragroute-1.2, and fragrouter-1.6 were modified. In a recent report (Problem Report ports/38716) by FreeBSD the following is noted:

The previous checksum for the tarball should be changed, monkey.org was cracked and the fragroute application backdoored (in the same as as irssi). To avoid wrongly identifying the current (corrected) tarball as incorrect this patch is required. I have communicated to the author (Dug Song) myself and confirmed the md5 in this diff is valid. I have also bumped the PORTREVISION.

Anyone who installed this port should conduct an IMMEDIATE security audit of their systems. I imagine this includes the port build cluster.

Dug Song posted the following to BugTraq:

Monkey.org was compromised on May 14th, via an epic4-pre2.511 client-side hole which produced a shell to one of the local admin’s accounts. This was later used to reattach to one of his screen sessions, which apparently had a root window open (su very bad!).

The dsniff-2.3, fragroute-1.2, and fragrouter-1.6 tarballs were all modified at 3 AM on May 17th to include the same configure backdoor as described in the irssi advisory. No other public web content was modified, and the system was restored a week later, from scratch. The correct checksums are:

MD5 (dsniff-2.3.tar.gz) = 183e336a45e38013f3af840bddec44b4

MD5 (fragroute-1.2.tar.gz) = 7e4de763fae35a50e871bdcd1ac8e23a

MD5 (fragrouter-1.6.tar.gz) = 73fdc73f8da0b41b995420ded00533cc

of the 1951 hosts that successfully downloaded one of the backdoored tarballs, 992 of them were Windows machines and 193 were automated ports downloads for the *BSD dsniff or fragrouter ports, leaving 746 Linux (and a few Solaris and MacOS) hosts potentially vulnerable, and 20 FreeBSD and OpenBSD hosts.

(…)

in the future, our software distributions may carry embedded signatures via gzsig:

References:

  • Ircssi IRC Chat Client Backdoor
  • irssi.org: irssi 0.8.4 backdoor
  • Trojan/backdoor in fragroute 1.2 source distribution
  • FreeBSD Problem Report ports 38716

Featured news

Sponsored

Don't miss