tcpdump/libpcap
tcpdump.org source tarballs trojanized
The tcpdump.org distribution site was compromised in November 2002, and source archives for tcpdump and libpcap were replaced with trojanized versions. The inserted code ran during compilation, connected to a remote IRC server on port 6667, and accepted commands, turning packet-analysis tooling into a remote-access foothold for systems that built from the poisoned official archives.
- Date
- 2002-11-11 to 2002-11-13
- Category
- Open Source
- Target Surface
- Distribution
- Insertion Phase
- distribution
- Impact
- Backdoor
- Cause
- Compromised Infrastructure
What Was Affected
Package
tcpdump/libpcap
LanguageC
ComponentApplication
Artifact typesource archive
Domain typeproject download host
Domain
tcpdump.org
Repository
github.com/the-tcpdump-group/tcpdump
Compromised Versions
- tcpdump 3.6.2
- tcpdump 3.7.1
- libpcap 0.7.1
Incident Context
- Motive
- Unauthorized Access
- Attribution
- Unknown attacker
- Transitive
- No
- User Impact
- 0
- Observed Duration
- 2 days
Evidence
Compromised Artifacts
Indicators and Changes
Hashes
md5:73ba7af963aff7c9e23fa1308a793dcamd5:3c410fc8c03c3a11d4f5b2e5edc2f295md5:1b7cf8d07a7789afc1d772e8f09d28d8
External References
Source Data
Source record: oss/attacks/tcpdump-libpcap/meta.yaml