monkey.org tarballs shipped backdoors

In May 2002, monkey.org was compromised through an epic4-pre2.511 client-side hole that yielded access to a local administrator account and then to a root screen session. At 03:00 on May 17, the dsniff 2.3, fragroute 1.2, and fragrouter 1.6 tarballs were modified to include a configure-time backdoor. The downloads were not impostors; they came from the project host used for Dug Song's security tools.

The delivery method was repeated across three security tools. Each poisoned archive used the familiar source-build path, with configure writing and compiling conftest.c. Users asked for packet and network tooling; the build ran attacker code first.

The injected configure block wrote conftest.c, compiled it, and executed it during the build. The payload forked, connected to 216.80.99.202 on TCP/6667, and handed stdin, stdout, and stderr to /bin/sh. Dug Song reported 1,951 successful downloads of the backdoored tarballs before discovery around May 24, including hundreds of Unix hosts and automated BSD ports fetches, then restored the system from scratch and published clean checksums.

The audience made the compromise sharper. dsniff, fragroute, and fragrouter were tools used by security practitioners and network administrators, so a poisoned build reached machines likely to sit near sensitive traffic, credentials, and test infrastructure.

Motive

Unauthorized Access Control

Cause

Compromised Infrastructure

Transitive

No

User Impact

1951

• observable216.80.99.202:6667
• observableepic4-pre2.511
• fileconfigure
• fileconftest.c

• fragroute, dsniff and fragrouter have been backdooredartofhacking.com
• Backdoored dsniff, fragroute and fragrouterhelpnetsecurity.com
• Download Sites Hacked, Source Code Backdooredseclists.org
• LWN Security reports for June 2002lwn.net
• NVD: CVE-2002-2049nvd.nist.gov