Re: FreeBSD box compromised, ssh client trojanised

[dor <dor () VIRTUALMYSTIC COM>]

Hi,

A FreeBSD box under my administration was compromised recently, we believe
via a sniffed admin account and the use of a fake "su" program, aside from
the "regular" trojans (login/sshd etc) there was also a trojanised ssh
client, aparrently designed to write encrypted logfiles to
/var/tmp/vi_restore/ - which was a root owned, world writeable
directory. inside were files owned by several users, with aparrently
random names, and appeared to contain encrypted data. I have posted the
binary at http://www.vitun.net/trojan-openssh.tar.gz if anyone would like
to look at it,
Making a test login using the trojanised ssh client to
another host.. appeared to write data into the /var/tmp/vi_restore/
directory, presumeably my login and password.