Security Incidents mailing list archives
Re: FreeBSD box compromised, ssh client trojanised
From: dor <dor () VIRTUALMYSTIC COM>
Date: Thu, 7 Dec 2000 03:31:22 -0800
Hi, A FreeBSD box under my administration was compromised recently, we believe via a sniffed admin account and the use of a fake "su" program, aside from the "regular" trojans (login/sshd etc) there was also a trojanised ssh client, aparrently designed to write encrypted logfiles to /var/tmp/vi_restore/ - which was a root owned, world writeable directory. inside were files owned by several users, with aparrently random names, and appeared to contain encrypted data. I have posted the binary at http://www.vitun.net/trojan-openssh.tar.gz if anyone would like to look at it, Making a test login using the trojanised ssh client to another host.. appeared to write data into the /var/tmp/vi_restore/ directory, presumeably my login and password.
Current thread:
- Re: FreeBSD box compromised, ssh client trojanised dor (Dec 08)