Re: SSH password capture

[Andrew Daviel <advax () TRIUMF CA>]

On Mon, 28 Jun 2010, Scott Beardsley wrote:

> > We recently found trojan openssh programs on a few machines, busy 
> > logging passwords in and out.
>
> Any idea how they got in?

I caught them downloading the toolkit. It looks like linux-sendpage3 from
http://www.securityfocus.com/bid/36038/exploit, which I had already 
suspected but can now confirm.
Which works reliably and crash-free across a wide range of kernels and 
Linux distros updated prior to August 2009. (RedHat 8 through RHEL 5, 
SUSE, Slackware...)
It does leave a trace in syslog, viz. repeated messages "NET: Registered 
protocol family..", if that is safely logged and someone is paying 
attention.

The sshd trojan includes a log-free backdoor to root, using a random 
password generated when the trojan is built. It can be found in the 
binary if you know where to look. So this guy can hop around the world on 
non-privileged passwords.


--
Andrew Daviel, TRIUMF, Canada