Wireshark · Ethereal-users: [Ethereal-users] FW: [linux] [newbie] warning on tcpdump and libcap

Ethereal-users: [Ethereal-users] FW: [linux] [newbie] warning on tcpdump and libcap

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: Richard Urwin <RUrwin@xxxxxxxxxxxxxx>

Date: Wed, 13 Nov 2002 16:42:15 -0000

I pass this on for what it's worth.

Personally, I would only trust the tcpdump site for a true state of
affairs, and they don't mention it. However their archive of tar balls
seems to be inaccessible/broken. The current tarball is accessible and
does not seem to be infected. (I checked the two diffs given below.)


The string "1963" does not appear in wpcap.dll 2.3. I surmise that it is
not infected.

My apologies if this turns out to be a false alarm.

--
Richard Urwin, Private
"No 9000 series computer has ever made a mitsake or corrubiteddatatato."




-----Original Message-----
From: newbie-owner@xxxxxxxxxxxxxxxxxx
[mailto:newbie-owner@xxxxxxxxxxxxxxxxxx]On Behalf Of Ken Walker
Sent: 13 November 2002 15:06
To: 'newbie@xxxxxxxxxxxxxxxxxx'
Subject: [linux] [newbie] warning on tcpdump and libcap


warning on tcpdump and libcap

I've just recieved the following, don't know if its true !

>Hi,
>
>Apparently libpcap and tcpdump have been trojaned, in a similar way to
>openssh earlier this year.  Information about how long this has been
the
>case is sketchy.  Trojaned versions appear to have made it out to a
>number of mirrors.
>
>Further details can be found at http://hlug.fscker.com (mirror
>http://www2.def-con.org/mirror/hlug.fscker.com/ appears to work).
>
>The tarballs available at www.tcpdump.org appear to still be trojaned.
>
>Good sources:
>http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/libpcap
-0.7
>.1.tar.gz
>http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump
-3.6
>.2.tar.gz
>http://www.ibiblio.org/pub/Linux/distributions/gentoo/distfiles/tcpdump
-3.7
>.1.tar.gz
>
>MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7  libpcap-0.7.1.tar.gz
>MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248  tcpdump-3.6.2.tar.gz
>MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e  tcpdump-3.7.1.tar.gz
>
>Trojaned sources:
>http://www.tcpdump.org/release/libpcap-0.7.1.tar.gz
>http://www.tcpdump.org/release/tcpdump-3.6.2.tar.gz
>http://www.tcpdump.org/release/tcpdump-3.7.1.tar.gz
>
>MD5 Sum 73ba7af963aff7c9e23fa1308a793dca  libpcap-0.7.1.tar.gz
>MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9  tcpdump-3.6.2.tar.gz
>MD5 Sum 3c410d8434e63fb3931fe77328e4dd88  tcpdump-3.7.1.tar.gz
>
>The program connects to 212.146.0.34 (mars.raketti.net) on port 1963
>when the configure script is run.  Sites with logs of network traffic
>may wish to check for connections to this IP over recent days.
>
>We would be interested in hearing about any machines found to be
>compromised using this route.
>
>Regards




________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan
service. For more information on a proactive anti-virus service working
around the clock, around the globe, visit http://www.messagelabs.com
________________________________________________________________________

Want to buy your Pack or Services from MandrakeSoft? 
Go to http://www.mandrakestore.com

Follow-Ups:
- Re: [Ethereal-users] FW: [linux] [newbie] warning on tcpdump and libcap
  - From: Guy Harris

Prev by Date: Re: [Ethereal-users] ICMP echo request not showing in capture?
Next by Date: [Ethereal-users] RE: Capturing Packets from PPP with Windows 2000
Previous by thread: Re: [Ethereal-users] ICMP echo request not showing in capture?
Next by thread: Re: [Ethereal-users] FW: [linux] [newbie] warning on tcpdump and libcap
Index(es):
- Date
- Thread