OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mark Ruth (Mark.Ruth_at_gmx.net)
Date: Tue Jul 16 2002 - 01:44:01 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I would rather call this a backdoor, except the fact you can find
    some other modified progs. like ps, ls, ... or at least a kernel module.
    There's a lil diff between a rootkit and a trojaned sshd.

    regards

    >
    >
    > Hello.
    >
    > Recently one of my OpenBSD 3.0 boxes got compromised. The
    > attacker used OpenSSH exploit and installed trojaned sshd
    > binary. There were obvious signs of compromise:
    >
    > <rootsvrtr:/root:251># ls -al /usr/sbin/sshd
    > -rwxr-xr-x 1 root wheel 966656 Oct 18 2001
    > /usr/sbin/sshd* <rootsvrtr:/root:252># md5 /usr/sbin/sshd
    > MD5 (/usr/sbin/sshd) = 1d133d59406c1e3d51fbdaed69ceb83d
    > <rootsvrtr:/root:253># ldd /usr/sbin/sshd
    > ldd: /usr/sbin/sshd: not a dynamic executable
    > <rootsvrtr:/root:254># strings /usr/sbin/sshd | grep
    > OpenSSH_3 OpenSSH_3.4
    >
    > 1) Installed version is 3.4, but OpenBSD 3.0 ships with 3.0.
    > File modification date is earlier than 3.4 release date.
    >
    > 2) Binary is statically linked, therefore much larger than
    > original sshd.
    >
    > 3) It was installed with other perms (0755) than original one (0555).
    >
    > I've compared good OpenSSH 3.4 binary with compromised one
    > and found the following:
    >
    > --- s1 Sun Jul 14 08:48:17 2002
    > +++ s2 Sun Jul 14 08:48:26 2002
    > -6,9 +6,10
    > -(#)$OpenBSD: sshd.c,v 1.239.2.3 2002/06/26 15:30:39 jason Exp $
    > +grOet2CS62G4k
    > +(#)$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $
    > [...]
    > -nobody
    > +daemon
    > [...]
    > +/etc/sshd_config
    > [...]
    > -Connection refused by tcp wrapper
    > -libwrap refuse returns
    > [...]
    > -/usr/src/usr.bin/ssh/sshd/../sshd.c
    > +/tmp_mnt/killer/home/FLOYD/src/usr.bin/bad/sshd/../sshd.c
    > [...]
    >
    > Full diff output can be found at:
    >
    http://www.frasunek.com/sshd_diff.gz

    And compromised sshd binary:

    http://www.frasunek.com/sshd_rooted.gz 

    -- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslawfrasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF *

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    -- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com