Security Incidents mailing list archives
OpenBSD rootkit
From: Przemyslaw Frasunek <venglin () freebsd lublin pl>
Date: Sun, 14 Jul 2002 08:55:07 +0200
Hello. Recently one of my OpenBSD 3.0 boxes got compromised. The attacker used OpenSSH exploit and installed trojaned sshd binary. There were obvious signs of compromise: <root@svrtr:/root:251># ls -al /usr/sbin/sshd -rwxr-xr-x 1 root wheel 966656 Oct 18 2001 /usr/sbin/sshd* <root@svrtr:/root:252># md5 /usr/sbin/sshd MD5 (/usr/sbin/sshd) = 1d133d59406c1e3d51fbdaed69ceb83d <root@svrtr:/root:253># ldd /usr/sbin/sshd ldd: /usr/sbin/sshd: not a dynamic executable <root@svrtr:/root:254># strings /usr/sbin/sshd | grep OpenSSH_3 OpenSSH_3.4 1) Installed version is 3.4, but OpenBSD 3.0 ships with 3.0. File modification date is earlier than 3.4 release date. 2) Binary is statically linked, therefore much larger than original sshd. 3) It was installed with other perms (0755) than original one (0555). I've compared good OpenSSH 3.4 binary with compromised one and found the following: --- s1 Sun Jul 14 08:48:17 2002 +++ s2 Sun Jul 14 08:48:26 2002 @@ -6,9 +6,10 @@ -@(#)$OpenBSD: sshd.c,v 1.239.2.3 2002/06/26 15:30:39 jason Exp $ +grOet2CS62G4k +@(#)$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $ [...] -nobody +daemon [...] +/etc/sshd_config [...] -Connection refused by tcp wrapper -libwrap refuse returns [...] -/usr/src/usr.bin/ssh/sshd/../sshd.c +/tmp_mnt/killer/home/FLOYD/src/usr.bin/bad/sshd/../sshd.c [...] Full diff output can be found at: http://www.frasunek.com/sshd_diff.gz And compromised sshd binary: http://www.frasunek.com/sshd_rooted.gz -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF * ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- OpenBSD rootkit Przemyslaw Frasunek (Jul 15)
- Re: OpenBSD rootkit Markus Friedl (Jul 16)
- <Possible follow-ups>
- Re: OpenBSD rootkit Mark Ruth (Jul 16)
- Re: OpenBSD rootkit Scott Fendley (Jul 16)