Re: trojaned SSHD ?

From: Patrick Morris (pmorris@wilshire.com)
Date: 09/21/01 

Message-ID: <3BAAC893.BE0EA175@wilshire.com>
Date: Thu, 20 Sep 2001 21:56:51 -0700
From: Patrick Morris <pmorris@wilshire.com>
To: Karthik Krishnamurthy <karthik.k@extremix.net>
Subject: Re: trojaned SSHD ?

Nothing unusual there -- on Solaris (which has no /dev/random), the commands you're seeing
generate the random seed. They are configurable at compile time.

Karthik Krishnamurthy wrote:

> Hullo list,
> Saw this recently on a SunOS 2.6 running sshd version 1.2.26 [sparc-sun-solaris2.6]
>
> output of strings /usr/local/sbin/sshd | more
>
> snip
>
> ...skipping
> ls -alni /tmp/. 2>/dev/null
> w 2>/dev/null
> netstat -s 2>/dev/null
> netstat -an 2>/dev/null
> netstat -in 2>/dev/null
> /dev/random
>
>
> Looks very suspicious. Anybody else seen something like this ?
>
> Karthik

*----*

This message is intended only for the use of the person(s) listed above
as the intended recipient(s), and may contain information that is
PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient,
you may not read, copy, or distribute this message or any attachment.
If you received this communication in error, please notify us immediately
by e-mail and then delete all copies of this message and any attachments.

In addition you should be aware that ordinary (unencrypted) e-mail sent
through the Internet is not secure. Do not send confidential or sensitive
information, such as social security numbers, account numbers, personal
identification numbers and passwords, to us via ordinary (unencrypted)
e-mail.