Trojan Found in libpcap and tcpdump

Wednesday, 13 November 2002, 2:56 PM EST

Members of The Houston Linux Users Group discovered that the newest sources of libpcap and tcpdump available from were contaminated with trojan code. HLUG has notified the maintainers of


  • The trojan contains modifications to the configure script and gencode.c (in libpcap only).
  • The configure script downloads which is then sourced with the shell. It contains an embedded shell script that creates a C file, and compiles it.
  • The program connects to ( on port 1963 and reads one of three one byte status codes:
    A - program exits
    D - forks and spawns a shell and does the needed file descriptor manipulation to redirect it to the existing connection to
    M - closes connection, sleeps 3600 seconds, and then reconnects
  • It's important to note that it reuses the same outgoing connection for the shell. This gets around firewalls that block incoming connections.
  • Gencode.c is modified to force libpcap to ignore packets to/from the backdoor program, hiding the backdoor program's traffic.
  • This is similar to the OpenSSH trojan a few months ago.
Good sources have the following MD5 hashes:

MD5 Sum 0597c23e3496a5c108097b2a0f1bd0c7 libpcap-0.7.1.tar.gz
MD5 Sum 6bc8da35f9eed4e675bfdf04ce312248 tcpdump-3.6.2.tar.gz
MD5 Sum 03e5eac68c65b7e6ce8da03b0b0b225e tcpdump-3.7.1.tar.gz

Trojaned sources have the following MD5 hashes:

MD5 Sum 73ba7af963aff7c9e23fa1308a793dca libpcap-0.7.1.tar.gz
MD5 Sum 3a1c2dd3471486f9c7df87029bf2f1e9 tcpdump-3.6.2.tar.gz
MD5 Sum 3c410d8434e63fb3931fe77328e4dd88 tcpdump-3.7.1.tar.gz

[ Read more ]


The version on TCPDUMP available on HNS does NOT contain a trojan but it's advised not to download the program from any source until the developers post a notice on the official website.

Related items


More than 900 embedded devices share hard-coded certs, SSH host keys

SEC Consult analyzed firmware images of more than 4000 embedded devices of over 70 vendors and found that, in some cases, there are nearly half a million devices on the web using the same certificate.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Nov 30th