Open Source 2002-07-30 · 2 days ·Backdoor, Remote Code Execution

OpenSSH tarballs shipped trojan horse

OpenSSH 3.2.2p1, 3.4p1, and 3.4 source archives on the OpenBSD FTP server were trojanized between July 30 and August 1, 2002, with copies possibly spreading through mirrors.

Story

At the end of July 2002, source archives for OpenSSH were replaced on the OpenBSD FTP server and potentially propagated by the normal mirror network. The affected files were openssh-3.4p1.tar.gz, openssh-3.4.tgz, and openssh-3.2.2p1.tar.gz; the project replaced them with clean originals at 13:00 UTC on August 1.

The attacker changed source distribution, not the SSH protocol. The tainted archives carried bf-test.c, and the build system compiled and executed it during configure. A system could be compromised by building OpenSSH even if it never deployed the resulting daemon.

The payload lived in bf-test.c and executed during the build, not when a running SSH daemon handled traffic. Once compiled, it attempted hourly outbound connections to an IRC-style port and could execute attacker-supplied commands as the build user. CERT's advisory treated any host that built the trojaned source as compromised and told mirrors, redistributors, and administrators to verify signatures and checksums rather than trusting timestamps or file sizes.

The detection path was ordinary package hygiene. Isosceles notes that FreeBSD ports already had expected checksums, so a developer building the tainted archive saw a mismatch. The short exposure window prevented broader compromise, but the attack showed that replacing source archives on trusted infrastructure was enough to reach high-value Unix systems.

Affected Artifacts

Incident Context

Motive
Unauthorized Access Control
Cause
Compromised Infrastructure
Transitive
No

External References

Source record: oss/attacks/openssh/meta.yaml