[pehrens at ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap trojan]

Alex Snow alex_snow at gmx.net
Wed Nov 13 19:44:54 EST 2002

Yeah that's why it's getting increasingly important to digitally sign files
before releasing them, so that way you can tell if someone screwed witht he
Explorer has caused a general protection fault in module kernel32.dll. I'm
sick of Winblows!
----- Original Message -----
From: "Scott Howell" <showell at lrxms.net>
To: <speakup at braille.uwo.ca>
Sent: Wednesday, November 13, 2002 7:07 PM
Subject: [pehrens at ligo.caltech.edu: Re: Nmap *NOT* affected by libpcap

> Folks, I am subscribed to the list about Nmap. This info might e very
> interesting to folks. I have not had a chance to verify all the info nor
> have I seen anything from Bug Track, but that could be more a problem
> with not geting mail from my ISP. In any case, if anyone does know more,
> please share.
> tnx
> ----- Forwarded message from Philip Ehrens
<pehrens at ligo.caltech.edu> -----
> Mailing-List: contact nmap-hackers-help at insecure.org; run by ezmlm
> From: Philip Ehrens <pehrens at ligo.caltech.edu>
> To: Fyodor <fyodor at insecure.org>
> Cc: nmap-hackers at insecure.org
> Subject: Re: Nmap *NOT* affected by libpcap trojan
> Mail-Followup-To: Philip Ehrens <pehrens at lrxms.net>,
> Fyodor <fyodor at insecure.org>, nmap-hackers at insecure.org
> I would like to point out that the type of trojan described below
> is becoming increasingly common.  ftp.sendmail.org was compromised
> recently and a similar trojan was placed in the sendmail source
> tarball.
> I know of at least 12 common packages that have had their source
> tarballs compromised within the last 3 months on servers that were
> considered secure.  The folks doign this have gone as far as to
> hijack DNS and root machines on specific subnets in order to place
> this type of trojan.
> These trojans are activated during te build process of the source
> tarball in most cases, usually the configure script contains some
> variation of code that establishes a connection to a remote machine.
> I believe that the folks doing this are actually trying to catch
> certain specific machines or subnets, and are not doing this to
> set up DDOS or just to own large numbers of boxes.  When I activated
> one of these trojans while building a package all that happened was
> that my /etc/passwd file was shipped off.  The machine listening on
> the other end never did anything except stay connected for a while.
> I expect to see more and more of this at an accellerating rate
> from now on...  if you are letting root make remote connections
> you are asking for trouble!
> Sorry for using your list for this Fyodor, I won't do it again.
> Phil
> Fyodor wrote:
> > I just wanted to send out a quick note that the version of libpcap
> > shipped with Nmap does NOT contain the trojan described at:
> >
> > http://hlug.fscker.com/
> >
> >
> > Cheers,
> > -F
> --------------------------------------------------
> For help using this (nmap-hackers) mailing list, send a blank email to
> nmap-hackers-help at insecure.org . List run by ezmlm-idx (www.ezmlm.org).
> ----- End forwarded message -----
> _______________________________________________
> Speakup mailing list
> Speakup at braille.uwo.ca
> http://speech.braille.uwo.ca/mailman/listinfo/speakup

More information about the Speakup mailing list