The OpenBSD project warned yesterday that several versions of
OpenSSH, its free network connectivity software, contain a Trojan
horse that can allow an attacker to take over a system.
The SSH protocol is widely used for secure remote terminal
connections and file transfers between a client and a server
running Unix and its derivatives.
The Trojan horse was discovered in OpenSSH versions 3.2.2p1, 3.4p1
and 3.4. The compromised software was first made available on an
official download server on 30 July or 31 July, and from there was
likely to have been copied to other download sites.
Trojan horse programs install backdoor programs that let attackers
gain access to a computer. In this case the malicious code is run
when the OpenSSH software is compiled by the user, the advisory
warned. It allows arbitrary commands to be executed with the
privileges of the compiling user.
Anyone who installed OpenSSH or offered it for download since 30
July should verify the authenticity of the software. The
compromised OpenSSH versions can be identified by their incorrect
MD5 checksums and PGP signatures.
More information on the Trojan horse and how to detect it can be
found in the OpenSSH advisory
www.openssh.com/txt/trojan.adv
and an advisory sent out by the Computer Emergence Response Team
(CERT) (
www.cert.org/advisories/CA-2002-24.html).