Oh thank you so much for these instructions I'll go through them on my computer.
I indeed wanted to know if the versions were still downloadable anywhere but if you can still install the correct liblzma version on any version of the distribution that works. I tried on a Debian VM on mac but with too little knowledge and it never run the correct liblzma
xzbot from Anthony Weems enables to patch the corrupted liblzma to change the private key used to compare it to the signed ssh certificate, so adding this to your instructions might enable me to demonstrate sshing into the VM :)
Yes, indeed the backdoor code checks, in the event of ssh authentication with a certificate, that it was signed with a specific ssh private key (their own CA), the corresponding public key being hardcoded in the backdoor code.
But this project xzbot demonstrates how to patch the corrupted liblzma to replace the key
Download xz Utils infected distro version
Hi !...