Security Incidents mailing list archives

Re: OpenBSD rootkit

From: Mark Ruth <Mark.Ruth () gmx net>
Date: Tue, 16 Jul 2002 08:44:01 +0200 (MEST)

I would rather call this a backdoor, except the fact you can find 
some other modified progs. like ps, ls, ... or at least a kernel module.
There's a lil diff between a rootkit and a trojaned sshd.

regards



Hello.

Recently one of my OpenBSD 3.0 boxes got compromised. The 
attacker used OpenSSH exploit and installed trojaned sshd 
binary. There were obvious signs of compromise:

<root@svrtr:/root:251># ls -al /usr/sbin/sshd
-rwxr-xr-x  1 root  wheel  966656 Oct 18  2001 
/usr/sbin/sshd* <root@svrtr:/root:252># md5 /usr/sbin/sshd 
MD5 (/usr/sbin/sshd) = 1d133d59406c1e3d51fbdaed69ceb83d 
<root@svrtr:/root:253># ldd /usr/sbin/sshd
ldd: /usr/sbin/sshd: not a dynamic executable 
<root@svrtr:/root:254># strings /usr/sbin/sshd | grep 
OpenSSH_3 OpenSSH_3.4

1) Installed version is 3.4, but OpenBSD 3.0 ships with 3.0. 
File modification date is earlier than 3.4 release date.

2) Binary is statically linked, therefore much larger than 
original sshd.

3) It was installed with other perms (0755) than original one (0555). 

I've compared good OpenSSH 3.4 binary with compromised one 
and found the following:

--- s1        Sun Jul 14 08:48:17 2002
+++ s2        Sun Jul 14 08:48:26 2002
@@ -6,9 +6,10 @@
-@(#)$OpenBSD: sshd.c,v 1.239.2.3 2002/06/26 15:30:39 jason Exp $
+grOet2CS62G4k
+@(#)$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $
[...]
-nobody
+daemon
[...]
+/etc/sshd_config
[...]
-Connection refused by tcp wrapper
-libwrap refuse returns
[...]
-/usr/src/usr.bin/ssh/sshd/../sshd.c
+/tmp_mnt/killer/home/FLOYD/src/usr.bin/bad/sshd/../sshd.c
[...]

Full diff output can be found at:

http://www.frasunek.com/sshd_diff.gz

And compromised sshd binary:

http://www.frasunek.com/sshd_rooted.gz

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslaw () frasunek com ** PGP: D48684904685DF43EA93AFA13BE170BF *

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

OpenBSD rootkit Przemyslaw Frasunek (Jul 15)
- Re: OpenBSD rootkit Markus Friedl (Jul 16)
- <Possible follow-ups>
- Re: OpenBSD rootkit Mark Ruth (Jul 16)
  - Re: OpenBSD rootkit Scott Fendley (Jul 16)