Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections:  Developer -  High Performance -  Infrastructure -  IT Management -  Security -  Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs


Top White Papers

More on LinuxToday


Trojan Found in libpcap and tcpdump

Nov 14, 2002, 14:26 (0 Talkback[s])

[ Thanks to LogError for this link. ]

"Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from tcpdump.org were contaminated with trojan code. HLUG has notified the maintainers of tcpdump.org.

"Details:

  • "The trojan contains modifications to the configure script and gencode.c (in libpcap only).
  • The configure script downloads http://mars.raketti.net/~mash/services which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it.
  • The program connects to 212.146.0.34 (mars.raketti.net) on port 1963 and reads one of three one byte status codes:
    A - program exits
    D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to 212.146.0.34.
    M - closes connection, sleeps 3600 seconds, and then reconnects..."

Complete Story