August 02, 2002, 10:10 AM — Several versions of OpenSSH contain a Trojan horse that can allow an attacker to take over a system running the free network connectivity software, the makers of OpenSSH warned Thursday.
OpenSSH is distributed for free by the OpenBSD project. The SSH protocol is widely used for secure remote terminal connections and file transfers between a client and a server running Unix and its derivatives.
The Trojan horse was discovered in OpenSSH versions 3.2.2p1, 3.4p1 and 3.4. The compromised software was first made available on an official download server on July 30 or July 31 and from there likely copied to other download sites, according to an OpenSSH security advisory.
Trojan horse programs install backdoor programs that let attackers gain access to a computer. In this case the malicious code is run when the OpenSSH software is compiled by the user, according to the advisory. It allows arbitrary commands to be executed with the privileges of the compiling user.
Anyone who installed OpenSSH or offered it for download since July 30 should verify the authenticity of the software. The compromised OpenSSH versions can be identified by their incorrect MD5 checksums and PGP signatures, according to the advisory.
More information on the Trojan horse and how to detect it can be found in the OpenSSH advisory (http://www.openssh.com/txt/trojan.adv) and an advisory sent out by the Computer Emergence Response Team (CERT) (http://www.cert.org/advisories/CA-2002-24.html).