Ethereal-users: [Ethereal-users] FW: [linux] [newbie] warning on tcpdump and libcap

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next
From: Richard Urwin <RUrwin@xxxxxxxxxxxxxx>
Date: Wed, 13 Nov 2002 16:42:15 -0000
I pass this on for what it's worth.

Personally, I would only trust the tcpdump site for a true state of
affairs, and they don't mention it. However their archive of tar balls
seems to be inaccessible/broken. The current tarball is accessible and
does not seem to be infected. (I checked the two diffs given below.)


The string "1963" does not appear in wpcap.dll 2.3. I surmise that it is
not infected.

My apologies if this turns out to be a false alarm.

--
Richard Urwin, Private
"No 9000 series computer has ever made a mitsake or corrubiteddatatato."




-----Original Message-----
From: newbie-owner@xxxxxxxxxxxxxxxxxx
[mailto:newbie-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Ken Walker
Sent: 13 November 2002 15:06
To: 'newbie@xxxxxxxxxxxxxxxxxx'
Subject: [linux] [newbie] warning on tcpdump and libcap


warning on tcpdump and libcap

I've just recieved the following, don't know if its true !

>Hi,
>
>Apparently libpcap and tcpdump have been trojaned, in a similar way to
>openssh earlier this year.  Information about how long this has been
the
>case is sketchy.  Trojaned versions appear to have made it out to a
>number of mirrors.
>
>Further details can be found at http://hlug.fscker.com (mirror
>http://www2.def-con.org/mirror/hlug.fscker.com/ appears to work).
>
>The tarballs available at www.tcpdump.org appear to still be trojaned.
>
>Good sources:
>http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap
-0.7
>.1.tar.gz
>http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump
-3.6
>.2.tar.gz
>http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump
-3.7
>.1.tar.gz
>
>MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7  libpcap-0.7.1.tar.gz
>MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248  tcpdump-3.6.2.tar.gz
>MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e  tcpdump-3.7.1.tar.gz
>
>Trojaned sources:
>http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz
>http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz
>http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz
>
>MD5 Sum 73ba7af963aff7c9e23fa1308a793dca  libpcap-0.7.1.tar.gz
>MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9  tcpdump-3.6.2.tar.gz
>MD5 Sum 3c410d8434e63fb3931fe77328e4dd88  tcpdump-3.7.1.tar.gz
>
>The program connects to 212.146.0.34 (mars.raketti.net) on port 1963
>when the configure script is run.  Sites with logs of network traffic
>may wish to check for connections to this IP over recent days.
>
>We would be interested in hearing about any machines found to be
>compromised using this route.
>
>Regards




________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________
Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com