CERT® Advisory CA-2002-30 Trojan Horse tcpdump and libpcap DistributionsOriginal issue date: November 13, 2002
Last revised: --
A complete revision history is at the end of this file.
The CERT/CC has received reports that several of the released source code distributions of the libpcap and tcpdump packages were modified by an intruder and contain a Trojan horse.
We strongly encourage sites that use, redistribute, or mirror the libpcap or tcpdump packages to immediately verify the integrity of their distribution.
The CERT/CC has received reports that some copies of the source code for libpcap, a packet acquisition library, and tcpdump, a network sniffer, have been modified by an intruder and contain a Trojan horse.
The following distributions were modified to include the malicious code:
These modified distributions began to appear in downloads from the HTTP server www.tcpdump.org on or around Nov 11 2002 10:14:00 GMT. The tcpdump development team disabled download of the distributions containing the Trojan horse on Nov 13 2002 15:05:19 GMT. However, the availability of these distributions from mirror sites is unknown. At this time, it does not appear that related projects such as WinPcap and WinDump contain this Trojan horse.
The Trojan horse version of the tcpdump source code distribution contains malicious code that is run when the software is compiled. This code, executed from the tcpdump configure script, will attempt to connect (via wget, lynx, or fetch) to port 80/tcp on a fixed hostname in order to download a shell script named services. In turn, this downloaded shell script is executed to generate a C file (conftes.c), which is subsequently compiled and run.
When executed, conftes.c makes an outbound connection to a fixed IP address (corresponding to the fixed hostname used in the configure script) on port 1963/tcp and reads a single byte. Three possible values for this downloaded byte are checked, each causing conftes.c to respond in different ways:
An intruder operating from (or able to impersonate) the remote address specified in the malicious code could gain unauthorized remote access to any host that compiled a version of tcpdump with this Trojan horse. The privilege level under which this malicious code would be executed would be that of the user who compiled the source code.
We encourage sites using libpcap and tcpdump to verify the authenticity of their distribution, regardless of where it was obtained.
Where to get libpcap and tcpdump
While the compromise of these distributions is being investigated, the tcpdump and libpcap maintainers recommend using the following distribution sites:
Sites that mirror the source code are encouraged to verify the integrity of their sources. We also encourage users to inspect any and all other software that may have been downloaded from the compromised site. Note that it is not sufficient to rely on the timestamps or sizes of the file when trying to determine whether or not you have a copy of the Trojan horse version.
The MD5 hashes of the vendor suggested updates for libpcap and tcpdump are as follows:
As a matter of good security practice, the CERT/CC encourages users to verify, whenever possible, the integrity of downloaded software. For more information, see
Appendix A. - Vendor Information
This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments.
We have checked all our released libpcap and tcpdump packages and confirmed that they do not contain the trojan code.
Problematic packages are only distributed in Debian/unstable. I have examined both source packages and they did not contain the trojan code the HLUG reported on their web page. Hence, I guess that Debian distributes safe source.
We have examined our sources, and our software does not contain this trojan. We are not vulnerable to this advisory.
SuSE Linux products are not vulnerable.
Feedback can be directed to the author: Roman Danyliw, Chad Dougherty.
This document is available from: http://www.cert.org/advisories/CA-2002-30.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 2002 Carnegie Mellon University.
November 13, 2002: Initial release