Linux Today: Linux News On Internet Time.

More on LinuxToday

Trojan Found in libpcap and tcpdump

Nov 14, 2002, 14:26 (0 Talkback[s])

[ Thanks to LogError for this link. ]

"Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from were contaminated with trojan code. HLUG has notified the maintainers of


  • "The trojan contains modifications to the configure script and gencode.c (in libpcap only).
  • The configure script downloads which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it.
  • The program connects to ( on port 1963 and reads one of three one byte status codes:
    A - program exits
    D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to
    M - closes connection, sleeps 3600 seconds, and then reconnects..."

Complete Story