Re: chkrootkit reporting sshd vulnerable?
From: Henri Karrenbeld (ishtar@cal044202.student.utwente.nl)Date: 12/29/01
- Previous message: Simon Tatham: "Re: SSH.com and Greek codepage."
- In reply to: Doctor Zen: "chkrootkit reporting sshd vulnerable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: ishtar@cal044202.student.utwente.nl (Henri Karrenbeld) Date: 29 Dec 2001 11:59:44 GMT
Doctor Zen <hidden@from.spammers.net> writes:
>ssh 3.0.1 (commercial) and chkrootkit v0.33
>When I run chkrootkit locally it reports sshd not vulnerable, but when I
>ssh into the box and then run chkrootkit on it in the shell I get "sshd
>vulnerable but disabled".
>I do have ssh1 disabled of course.
>I was just a little worried about this, I ran chkrootkit in expert mode (ha
>ha, me, an expert?, ha ha) and it gave the strings from sshd but after
>sifting through hundreds of pages I didn't spot anything untoward, not that
>I'd really know what to look for apart from anything obvious like "warez
>dude" or something like that...
>Might be a bug in chkrootkit or something to worry about?
Okay, this is the deal as far as I have figured it out:
Some of chkrootkit works by running the 'strings' command on certain programs
(e.g. sshd and sshd2) and then 'grep'-ing for various known rootkit string
patterns.
One of those patterns, being a pre-compiled password in a trojan sshd2 version,
is '^1234$' (a line containing 1234 only). No problem here, I guess there might
be a trojan out there with that in it.
Certain, more recent, versions of sshd2, however, also have this string in it
(it's plainly visible in the source, it's used as some kind of testing pattern
to send to the other side to see if it can be decrypted or something, I haven't
dug too deeply in it). Anyway, this string appears to be a legit, safe content
of the sshd2 program.
So, this can be what people call a 'false positive'. Your sshd2 _might_ be fine
since chkrootkit canot distinguish between this specific trojan and a non-
trojaned sshd2.
Now for the 'disabled' part. chkrootkit isn't too smart in finding out whether
some trojan is running or not. It simply checks the process list for a running
sshd2. However, the program might not be running as 'sshd2'. It's probably
running as 'sshd' because it's symlinked as sshd to sshd2.
$) Henri
--
Hardware, n.: The parts of a computer system that can be kicked. -- nn.
There are no thoughts too radical for a people to view; there are just some
people too radical to control the thoughts of others --
JMS - Great Maker of Babylon 5. -=- All Your Base Are Belong To Us!
- Next message: Doctor Zen: "Re: chkrootkit reporting sshd vulnerable?"
- Previous message: Simon Tatham: "Re: SSH.com and Greek codepage."
- In reply to: Doctor Zen: "chkrootkit reporting sshd vulnerable?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
