Security Incidents mailing list archives

Re: OpenBSD rootkit

From: Markus Friedl <markus () openbsd org>
Date: Tue, 16 Jul 2002 11:21:54 +0200

i think this is just a trojaned sshd server, there
are many similar patches available.

On Sun, Jul 14, 2002 at 08:55:07AM +0200, Przemyslaw Frasunek wrote:

--- s1        Sun Jul 14 08:48:17 2002
+++ s2        Sun Jul 14 08:48:26 2002
@@ -6,9 +6,10 @@
-@(#)$OpenBSD: sshd.c,v 1.239.2.3 2002/06/26 15:30:39 jason Exp $
+grOet2CS62G4k
+@(#)$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $
[...]
-nobody
+daemon
[...]
+/etc/sshd_config
[...]
-Connection refused by tcp wrapper
-libwrap refuse returns
[...]
-/usr/src/usr.bin/ssh/sshd/../sshd.c
+/tmp_mnt/killer/home/FLOYD/src/usr.bin/bad/sshd/../sshd.c
[...]


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

OpenBSD rootkit Przemyslaw Frasunek (Jul 15)
- Re: OpenBSD rootkit Markus Friedl (Jul 16)
- <Possible follow-ups>
- Re: OpenBSD rootkit Mark Ruth (Jul 16)
  - Re: OpenBSD rootkit Scott Fendley (Jul 16)