OpenBSD rootkit

[Przemyslaw Frasunek <venglin () freebsd lublin pl>]

Hello.

Recently one of my OpenBSD 3.0 boxes got compromised. The attacker
used OpenSSH exploit and installed trojaned sshd binary. There were
obvious signs of compromise:

<root@svrtr:/root:251># ls -al /usr/sbin/sshd
-rwxr-xr-x  1 root  wheel  966656 Oct 18  2001 /usr/sbin/sshd*
<root@svrtr:/root:252># md5 /usr/sbin/sshd
MD5 (/usr/sbin/sshd) = 1d133d59406c1e3d51fbdaed69ceb83d
<root@svrtr:/root:253># ldd /usr/sbin/sshd
ldd: /usr/sbin/sshd: not a dynamic executable
<root@svrtr:/root:254># strings /usr/sbin/sshd | grep OpenSSH_3
OpenSSH_3.4

1) Installed version is 3.4, but OpenBSD 3.0 ships with 3.0. File
modification date is earlier than 3.4 release date.

2) Binary is statically linked, therefore much larger than original sshd.

3) It was installed with other perms (0755) than original one (0555). 

I've compared good OpenSSH 3.4 binary with compromised one and found
the following:

--- s1  Sun Jul 14 08:48:17 2002
+++ s2  Sun Jul 14 08:48:26 2002
@@ -6,9 +6,10 @@
-@(#)$OpenBSD: sshd.c,v 1.239.2.3 2002/06/26 15:30:39 jason Exp $
+grOet2CS62G4k
+@(#)$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $
[...]
-nobody
+daemon
[...]
+/etc/sshd_config
[...]
-Connection refused by tcp wrapper
-libwrap refuse returns
[...]
-/usr/src/usr.bin/ssh/sshd/../sshd.c
+/tmp_mnt/killer/home/FLOYD/src/usr.bin/bad/sshd/../sshd.c
[...]

Full diff output can be found at:

http://www.frasunek.com/sshd_diff.gz

And compromised sshd binary:

http://www.frasunek.com/sshd_rooted.gz

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com