Re: <Advice> Possible Backdoor into openssh-3.7.1p1-i386-1.tgz from Slackware Mirror

["Patrick J. Volkerding" <security () slackware com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Sat, 20 Sep 2003, Piermark wrote:
> Hi,
>
> I have update my Slackware 9.0 with openssh-3.7.1p1-i386-1.tgz  from
> http://www.slackware.at/data/slackware-9.0/patches/packages/openssh-3.7.1p1-i386-1.tgz
>
> Now i have 3 new  tcp/ip ports into my system: (thank Nmap) :-)
>
> - 867 Open
> - 879 Open
> - 889 Open
>
> Example:
>
> telnet> open
> (to) 127.0.0.1 867
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.

I've verified the GPG signature for the package on ftp.slackware.at, and
it has not been tampered with.  The GPG signature of the
openssh-3.7.1p1.tar.gz has also been tested, and is signed with the
correct signature of the OpenSSH developer who signs such things.
Additionally, I've tested installing the package and found no unexpected
ports were opened.

Conclusion:  This report is false.

> These ports are choice random from a range of 300 - 1200 !! and the size
> of the tgz is various for every mirror:
>
> 628642 Sep 20 17:58 openssh-3.7.1p1-i386-1.tgz (from www.slackware.at)
> 628481 Sep 20 21:01 openssh-3.7p1-i386-1.tgz   (from www.slackware.com)

Note that these are completely different package versions.

Regards,

Pat
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/bO89akRjwEAQIjMRAt6BAJ9S6WcnjbhfbgcWsfdutcclqxb+LQCfXPMH
L2qPHNBG4TWphoODKN9XBxE=
=n0SI
-----END PGP SIGNATURE-----