Educause Security Discussion mailing list archives
Re: SSH password capture
From: John Ladwig <John.Ladwig () CSU MNSCU EDU>
Date: Sun, 27 Jun 2010 17:18:41 -0500
I saw this in... winter '98-99... Or was it '97-98? When was Usenix Security in San Antonio at the Mariott? Client and server handcoded to store un/pw/remote host in a nice small logfile. Probably not the same individuals/group as you're seeing today. -jml -----Original Message----- From: Andrew Daviel Sent: 2010-06-26 01:40:32 To: Andrew Daviel;The EDUCAUSE Security Constituent Group Listserv Cc: Subject: [SECURITY] SSH password capture We recently found trojan openssh programs on a few machines, busy logging passwords in and out. I just wondered if anyone else had been hit by this, or had the source code - the one we found had a "SKYNET" ascii-art logo embedded in it. I suspect it of having a login backdoor, too, but can't prove it. I think they had a user account and privilege esclation exploit to get started, then followed some root passwords to get more systems, but don't seem to have done anything else to draw attention to themselves. An MD5 check against the package manager records found them once we started looking. I've been trying to encourage ssh keys instead of passwords, especially for root, after being bitten a few years back, but it's hard - passwords seem embedded in the modern psyche. -- Andrew Daviel, TRIUMF, Canada
Current thread:
- Re: SSH password capture John Ladwig (Jun 27)
- <Possible follow-ups>
- Re: SSH password capture Scott Beardsley (Jun 28)
- Re: SSH password capture Andrew Daviel (Jun 28)