Re: trojaned SSHD ?

From: Jeff Schaller (schaller@freeshell.org)
Date: 09/21/01 

Date: Fri, 21 Sep 2001 12:35:51 +0000 (UTC)
From: Jeff Schaller <schaller@freeshell.org>
To: <FOCUS-SUN@securityfocus.com>
Subject: Re: trojaned SSHD ?
Message-ID: <Pine.NEB.4.33.0109211233200.24276-100000@sdf.lonestar.org>

On Fri, 21 Sep 2001, Karthik Krishnamurthy wrote:

> ls -alni /tmp/. 2>/dev/null
> w 2>/dev/null
> netstat -s 2>/dev/null
> netstat -an 2>/dev/null
> netstat -in 2>/dev/null
> /dev/random

Got me curious, so I took at look at the source --
randoms.c has a function to accumulate random noise for the random
number generator:

...

  /* Run these first so that other statistics accumulate from
these. We stop collecting more noise when we have spent 30
seconds real time; on a large system a single executed command is
probably enough, whereas on small systems we must use all possible
noise sources. */

  random_get_noise_from_command(state, uid, "ps laxww 2>/dev/null");
  if (time(NULL) - start_time < 30)
    random_get_noise_from_command(state, uid, "ps -al 2>/dev/null");
  if (time(NULL) - start_time < 30)
    random_get_noise_from_command(state, uid, "ls -alni /tmp/. 2>/dev/null");
  if (time(NULL) - start_time < 30)
    random_get_noise_from_command(state, uid, "w 2>/dev/null");
  if (time(NULL) - start_time < 30)
    random_get_noise_from_command(state, uid, "netstat -s 2>/dev/null");
  if (time(NULL) - start_time < 30)
    random_get_noise_from_command(state, uid, "netstat -an 2>/dev/null");
  if (time(NULL) - start_time < 30)
    random_get_noise_from_command(state, uid, "netstat -in 2>/dev/null");

...

-jeff 

-- 
We will have no generalizations. --G.K. Chesterston