NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-Sun> 2001-q3

From: Konrad Rieck (krroqe.org)
Date: Fri Sep 21 2001 - 02:49:25 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On Fri, Sep 21, 2001 at 06:16:33AM +0530, Karthik Krishnamurthy wrote:
>
> output of strings /usr/local/sbin/sshd | more
>
> ...skipping
> ls -alni /tmp/. 2>/dev/null
> w 2>/dev/null
> netstat -s 2>/dev/null
> netstat -an 2>/dev/null
> netstat -in 2>/dev/null
> /dev/random
>
> Looks very suspicious. Anybody else seen something like this ?

Yes! It's some entropy gathering from within the default sshd. If no
random device is present sshd is able to calculate some PRNs using entropy
provided by net statitics, etc...

Check the source code:

krgorkie:ssh-1.2.26> grep -r netstat *
randoms.c: random_get_noise_from_command(state, uid, "netstat -s 2>/dev/null");
randoms.c: random_get_noise_from_command(state, uid, "netstat -an 2>/dev/null");
randoms.c: random_get_noise_from_command(state, uid, "netstat -in 2>/dev/null");

Regards,
Konrad

-- 
Konrad Rieck <krroqe.org>                    
Roqefellaz - http://www.roqe.org, Public Key http://www.roqe.org/keys/kr.pub
--           Fingerprint: 5803 E58E D1BF 9A29 AFCA  51B3 A725 EA18 ABA7 A6A3

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]