trojan tcpdump?

[Jim Cornette]

Wolfgang S. Rupprecht wrote:
> Jim Cornette <fc-cornette at insight.rr.com> writes:
>> So was this a trojan version or an unsigned version? 
> 
> Bugzilla says this was a race in the release tools and the rpm was
> good but slipped through unsigned.
> 
>          https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=232523

I was concerned mainly because the two packages were listed in the 
vulnerability from 2002.

http://www.symantec.com/security_response/vulnerability.jsp?bid=6171

> 
>> I thought the date for tcpdump and libpcap were both dated in
>> January even though the development package was dated Mar 15th.
> 
> In theory Redhat folks could have applied a private patch, even if the
> underlying tcpdump distribution didn't change since January.

Since the date was different than the devel package but at the same 
version level, I was concerned that someone was infiltrating the mirrors 
or the home server. Tcpdump was infiltrated back in late 2002. I hope it 
was just a build error and not bad natured individuals infiltrating the 
mirrors.

> 
>> Anyway, looking up information for libpcap and tcpdump on a Windows
>> machine had me cross paths with the 2002 incident and kicked in the
>> antivirus software for windows.
>>
>> Just to be safe, are these incidents unrelated? Did I just happen to
>> cross the virus via google and the packages were only messed up by the
>> build process?
> 
> Even if it was a trojan, I can't imagine the attacker would want to
> slip an MS virus in there.  That would draw even more attention to the
> files.  Linux exploits and MS exploits would require vastly different
> code.

What happened on My XP system was some services[1].txt file was loaded 
into the "Temporary Internet Files" and the active protection facility 
in the Symantec antivirus program launched and tried to clean the file 
from the XP system. It is not a Windows virus unless it was thought I 
was googling for a Windows version of the programs.

> 
>> I did come to the realization that you should not try to install
>> unsigned rpms in case this was an attempt to trojan version the
>> mirrors.
> 
> My jaw dropped when I read that one of the bugzilla responses (by a
> normal user) was to force the installation by editing the yum conf
> file to say "gpgcheck=0".
> 
> If it isn't signed by a repository that you trust then all bets are
> off.

I 100 percent agree! I read the portion of the vulnerability where it 
would install bad items, use a certain port and then report to home 
base. I think it deleted its traces from the infiltrated system on exit. 
This is scary stuff to me.
I would not defeat the valuable feature of signature checking or even 
attempt to install the package until it was known to be safe.

Jim
> 
> -wolfgang


-- 
Everything you know is wrong!