• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Open Source "Hacked"?

 
Ranch Hand
Posts: 238
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Got this article in my email today from TechRepublic... Gee, is nothing sacred?
THE REAL THREAT OF TROJANED OPEN SOURCE SOFTWARE
Sendmail, which many consider the de facto UNIX mail server software,
was recently a victim of a Trojan horse. Investigations are still ongoing,
but it appears that the main FTP site for the Sendmail 8.12.6 source code
distribution was compromised in late September 2002.
What's interesting is that the Trojan program launches when Sendmail is
compiled from source code, running with the same privileges as the user
compiling Sendmail. So, Sendmail itself doesn't appear to be compromised,
and simply rebooting stops the Trojan's process. If you've downloaded the
Sendmail 8.12.6 code, make sure that it's the authentic version before
compiling it. Better yet, delete it and grab a fresh copy from Sendmail's
Web site in order to verify that it's genuine.
http://www.sendmail.org/
This Sendmail incident raises questions that may never have suitable
answers, including how the intruders got access to the FTP server in the
first place. Now I'm wondering how many other open source software packages
will be tampered with (or already have been).
A few months before the Sendmail exploit, an almost identical incident
occurred with several versions of the OpenSSH source code distribution.
The Trojan looks very similar, being launched and connecting to a fixed
server using TCP port 6667 during the compile process. It's quite likely
that the same person or people are responsible for both incidents, which
involved the main FTP sites for the affected software. So, if you downloaded
and compiled OpenSSH version 3.2.2, 3.4, or 3.4p1 from the source, you
should probably fetch a new copy, since the mirror FTP sites for OpenSSH
copied the Trojaned versions.
If you're the kind of person who downloads and compiles your own open
source software, chances are you know how to verify the source distribution
for your software. I admit that I often overlook this step, but I
certainly won't skip it from now on. I already don't compile most open source
software as the "root" user, because "root" can do anything on a UNIX
system, including wipe it out. It usually isn't wise to regularly use a UNIX
machine as the "root" user anyway. Anyhow, make sudo part of your UNIX
security toolbox if it isn't already.
http://www.courtesan.com/sudo
Trojaned copies of compiled and source code distributions of software
aren't new, but Trojans in two popular open source packages in six months
is probably some sort of record. Luckily, both incidents were quickly
discovered, resolved, and information was released. The insidious nature of
these two incidents highlights the need to verify the authenticity of any
software you download and install, whether you compile it or not.
Most people have no way of knowing whether source code is authentic or
if it has been compromised. So make sure that you always verify the PGP
signature or MD5 checksum on any open source package you use. Modern
package management tools for UNIX such as RPM (which is used on many Linux
distributions) simplify this process tremendously. I suspect that there will
be more reports of compromised open source distributions--the latest two
are only the beginning.
Visit the CERT site for more details about the recent Trojan horse
incident.
[cert advisories link]
Jonathan Yarden is the senior UNIX system administrator, network
security manager, and senior software architect for a regional ISP.
 
Ranch Hand
Posts: 2166
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
thanks for info.
 
Saloon Keeper
Posts: 27763
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is hardly a problem unique to open source. Twice (that they'll admit to) have servers where some or all of Microsoft's source code resides been invaded.
Reports that the attackers decided that the most damaging thing they could do was leave the original Microsoft code intact are probably just pure meanness.
 
Ranch Hand
Posts: 2379
MySQL Database Spring Java
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Well as sources are open, the nature of products using open sources may be more familiar to the hackers. But do you think that open sources are more vulnerable than closed sources in terms of hacking? I don't think so! Most of the hackers are specially interested in damaging closed source products --- only my own opinion.
 
Ranch Hand
Posts: 68
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Does any one know of a link explaining how
to calculate MD5 signature of an apache download?
TIA
 
Consider Paul's rocket mass heater.
reply
    Bookmark Topic Watch Topic
  • New Topic