Re: chkrootkit reporting sshd vulnerable?

From: Henri Karrenbeld (ishtar@cal044202.student.utwente.nl)
Date: 12/29/01

  • Next message: Doctor Zen: "Re: chkrootkit reporting sshd vulnerable?"

    From: ishtar@cal044202.student.utwente.nl (Henri Karrenbeld)
    Date: 29 Dec 2001 11:59:44 GMT
    
    

    Doctor Zen <hidden@from.spammers.net> writes:

    >ssh 3.0.1 (commercial) and chkrootkit v0.33

    >When I run chkrootkit locally it reports sshd not vulnerable, but when I
    >ssh into the box and then run chkrootkit on it in the shell I get "sshd
    >vulnerable but disabled".

    >I do have ssh1 disabled of course.

    >I was just a little worried about this, I ran chkrootkit in expert mode (ha
    >ha, me, an expert?, ha ha) and it gave the strings from sshd but after
    >sifting through hundreds of pages I didn't spot anything untoward, not that
    >I'd really know what to look for apart from anything obvious like "warez
    >dude" or something like that...

    >Might be a bug in chkrootkit or something to worry about?

    Okay, this is the deal as far as I have figured it out:

    Some of chkrootkit works by running the 'strings' command on certain programs
    (e.g. sshd and sshd2) and then 'grep'-ing for various known rootkit string
    patterns.

    One of those patterns, being a pre-compiled password in a trojan sshd2 version,
    is '^1234$' (a line containing 1234 only). No problem here, I guess there might
    be a trojan out there with that in it.

    Certain, more recent, versions of sshd2, however, also have this string in it
    (it's plainly visible in the source, it's used as some kind of testing pattern
    to send to the other side to see if it can be decrypted or something, I haven't
    dug too deeply in it). Anyway, this string appears to be a legit, safe content
    of the sshd2 program.

    So, this can be what people call a 'false positive'. Your sshd2 _might_ be fine
    since chkrootkit canot distinguish between this specific trojan and a non-
    trojaned sshd2.

    Now for the 'disabled' part. chkrootkit isn't too smart in finding out whether
    some trojan is running or not. It simply checks the process list for a running
    sshd2. However, the program might not be running as 'sshd2'. It's probably
    running as 'sshd' because it's symlinked as sshd to sshd2.

    $) Henri

    --
    Hardware, n.: The parts of a computer system that can be kicked. -- nn.
    There are no thoughts too radical for a people to view; there are just some
    people too radical to control the thoughts of others --
        JMS - Great Maker of Babylon 5.	-=- All Your Base Are Belong To Us!
    



    Relevant Pages

    • Attention: Garrett Cooper (Was: SSH with Public Key Authentication)
      ... On Feb 1, 2006, at 9:16 PM, david bryce wrote: ... can connect with Putty using public key authentication. ... But the binaries ARE there for sshd. ... different port than sshd2 is running on? ...
      (freebsd-questions)
    • Re: chkrootkit reporting sshd vulnerable?
      ... > DZ> locally it reports sshd not vulnerable, but when I ssh into the ... > DZ> box and then run chkrootkit on it in the shell I get "sshd ... versus logging via SSH and running the same tool? ... <sit in front of machineA> ...
      (comp.security.ssh)
    • Re: Attention: Garrett Cooper (Was: SSH with Public Key Authentication)
      ... UNIX System Administrator Microsoft Windows 2000 or higher, FreeBSD, Linux, Solaris & so I installed FreeBSD. ... installation. ... But the binaries ARE there for sshd. ... different port than sshd2 is running on? ...
      (freebsd-questions)
    • chkrootkit reporting sshd vulnerable?
      ... When I run chkrootkit locally it reports sshd not vulnerable, ... ssh into the box and then run chkrootkit on it in the shell I get "sshd ... I was just a little worried about this, I ran chkrootkit in expert mode (ha ...
      (comp.security.ssh)
    • Re: ssh and openssh - opinions
      ... to ssh, scp, etc), and openssh then I can run anything I need. ... daemon I start depends on the application (sshd2 or sshd, not sshd1), ... right now I'd say openssh's sshd if both will run fine. ...
      (comp.security.ssh)