Educause Security Discussion mailing list archives
SSH password capture
From: Andrew Daviel <advax () TRIUMF CA>
Date: Fri, 25 Jun 2010 23:39:37 -0700
We recently found trojan openssh programs on a few machines, busy logging passwords in and out. I just wondered if anyone else had been hit by this, or had the source code - the one we found had a "SKYNET" ascii-art logo embedded in it. I suspect it of having a login backdoor, too, but can't prove it. I think they had a user account and privilege esclation exploit to get started, then followed some root passwords to get more systems, but don't seem to have done anything else to draw attention to themselves. An MD5 check against the package manager records found them once we started looking.
I've been trying to encourage ssh keys instead of passwords, especially for root, after being bitten a few years back, but it's hard - passwords seem embedded in the modern psyche.
-- Andrew Daviel, TRIUMF, Canada
Current thread:
- Re: attempts sending fake phishing messages to students and/or employees Sam Hooker (Jun 09)
- Re: attempts sending fake phishing messages to students and/or employees Eric Case (Jun 09)
- Re: attempts sending fake phishing messages to students and/or employees Jesse Thompson (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Andrew Daviel (Jun 25)
- SSH password capture Andrew Daviel (Jun 25)
- Re: SSH password capture Yonesy F. Nunez (Jun 28)
- Re: attempts sending fake phishing messages to students and/or employees Dave Kovarik (Jun 10)
- Re: attempts sending fake phishing messages to students and/or employees Davis, Thomas R (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Ben Woelk (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Sam Hooker (Jun 14)
- Re: attempts sending fake phishing messages to students and/or employees Davis, Thomas R (Jun 11)
- Re: attempts sending fake phishing messages to students and/or employees Eric Case (Jun 09)