Re: SSH password capture

[John Ladwig <John.Ladwig () CSU MNSCU EDU>]

I saw this in... winter '98-99... Or was it '97-98?  When was Usenix Security in San Antonio at the Mariott?  Client 
and server handcoded to store un/pw/remote host in a nice small logfile.

Probably not the same individuals/group as you're seeing today.
 
    -jml


-----Original Message-----
From: Andrew Daviel
Sent: 2010-06-26 01:40:32
To: Andrew Daviel;The EDUCAUSE Security Constituent Group Listserv
Cc: 
Subject: [SECURITY] SSH password capture


We recently found trojan openssh programs on a few machines, busy logging 
passwords in and out. I just wondered if anyone else had been hit by 
this, or had the source code - the one we found had a "SKYNET" ascii-art 
logo embedded in it. I suspect it of having a login backdoor, too, but 
can't prove it. I think they had a user account and privilege esclation 
exploit to get started, then followed some root passwords to get more 
systems, but don't seem to have done anything else to draw attention to 
themselves. An MD5 check against the package manager records found them 
once we started looking.

I've been trying to encourage ssh keys instead of passwords, especially 
for root, after being bitten a few years back, but it's hard - passwords 
seem embedded in the modern psyche.

-- 
Andrew Daviel, TRIUMF, Canada