Re: trojaned SSHD ?

From: Dr. Ernst-Udo Wallenborn (euw@mail.deuba.com)
Date: 09/21/01


Date: Fri, 21 Sep 2001 10:31:42 +0200 (CEST)
From: "Dr. Ernst-Udo Wallenborn" <euw@mail.deuba.com>
To: <FOCUS-SUN@securityfocus.com>
Subject: Re: trojaned SSHD ?
Message-ID: <Pine.LNX.4.31.0109211028470.8655-100000@euw.gefm.eur.deuba.com>

On Fri, 21 Sep 2001, Karthik Krishnamurthy wrote:

>Hullo list,
>Saw this recently on a SunOS 2.6 running sshd version
>1.2.26 [sparc-sun-solaris2.6]

[snip]

> Looks very suspicious. Anybody else seen something like this ?

As far as i know this is not a trojan. ssh1 used the outputs of netstat
and ls -alni as seed for the random number generator. I have an old
computer here which still has 1.2.26 on ist, and strings sshd here
has the same result as yours.



Relevant Pages

  • Re: trojaned SSHD ?
    ... Subject: trojaned SSHD? ... >Saw this recently on a SunOS 2.6 running sshd version 1.2.26 ... SunOS 2.7 and sshd 1.2.30 ...
    (Focus-SUN)
  • Re: trojaned SSHD ?
    ... Subject: trojaned SSHD? ... It's some entropy gathering from within the default sshd. ... random device is present sshd is able to calculate some PRNs using entropy ...
    (Focus-SUN)
  • Re: starting ssh from inetd
    ... which tends to enhance security. ... >security hole in a particular implementation of inetd, ... Are you saying sshd is insecure when running stand alone and that it ... running sshd through inetd does not simplify the programming ...
    (comp.security.ssh)
  • Re: chkrootkit reporting sshd vulnerable?
    ... >>ha, me, an expert?, ha ha) and it gave the strings from sshd but after ... > Some of chkrootkit works by running the 'strings' command on certain programs ...
    (comp.security.ssh)
  • Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh
    ... > 99% of even the most heavily loaded servers have more than enough ... similar to sysutils/comconsole which reconfigures the shipping sshd to ... run under inetd so that others can benefit from your approach. ... Not to dismiss the idea of running sshd from inetd out of hand, ...
    (FreeBSD-Security)