Puzzling Trojan affects OpenSSH

Geeks have been sent scampering to solve the case of how the latest Open secure shell (SSH) package came to be Trojaned.

The infected file was discovered on the OpenBSD website, but all mirrors should also be considered compromised.

This afternoon, alerts started popping up on security websites that a Trojan horse was hidden in the most recent portable version of OpenSSH, v3.4p1.

The strange thing is that the backdoor appears only to be active while the files are being built; the resultant generated binaries are clean.

If the infected files are downloaded and compiled, during the build process the Trojan will attempt to connect to IP 203.62.158.32 port 6667, which belongs to a Melbourne-based hosting company, SNS Online.

There is some speculation that the SNS box may have been hacked and owned by someone who is using it to try and take over a host of *nix boxes, because when the Trojan becomes active it is listening for one of three commands from the Aussie server.

In one case the Trojan may go to sleep for an hour, which immediately pours water on the theory that it is only active during build. In another it will abort completely. The third option will spawn a command shell with whatever privileges the user at the time was running with.

Many people compile software logged in as root, which means that the hacker could potentially have gained root control over a number of boxes.

The backdoor came to light when one user discovered that the MD5 checksums, designed to verify the authenticity of the code, did not match.

Some users report that early downloads of the file do not seem to have been exploited, however, and the Trojaned file has only appeared in the last day or so.

Another puzzle that has cropped up is that if whoever modified the file had access to the source code and the server, why did they not modify the MD5 checksum as well?

The group that runs Open BSD has been informed, but it is not yet clear what action is being taken.