Re: chkrootkit reporting sshd vulnerable?

From: nickd@nospam.demon.co.uk
Date: 01/03/02

  • Next message: Akop Pogosian: "Re: OpenSSH 2.9p2: ssh-keygen bus errors"

    From: nickd@nospam.demon.co.uk
    Date: Thu, 03 Jan 2002 01:03:02 GMT
    
    

    Henri Karrenbeld <ishtar@cal044202.student.utwente.nl> wrote:
    > Doctor Zen <hidden@from.spammers.net> writes:
    >
    <snip>

    >>I was just a little worried about this, I ran chkrootkit in expert mode (ha
    >>ha, me, an expert?, ha ha) and it gave the strings from sshd but after
    >>sifting through hundreds of pages I didn't spot anything untoward, not that
    >>I'd really know what to look for apart from anything obvious like "warez
    >>dude" or something like that...
    >
    >>Might be a bug in chkrootkit or something to worry about?
    >
    > Okay, this is the deal as far as I have figured it out:
    >
    > Some of chkrootkit works by running the 'strings' command on certain programs
    > (e.g. sshd and sshd2) and then 'grep'-ing for various known rootkit string
    > patterns.
    >
    > One of those patterns, being a pre-compiled password in a trojan sshd2 version,
    > is '^1234$' (a line containing 1234 only). No problem here, I guess there might
    > be a trojan out there with that in it.

    <snip>

    Also note the thread titled "understanding chkrootkit: sshd section" in
    comp.os.linux.security, comp.security.unix and comp.unix.admin

    -- 
    "Anyone with the naivety to run IIS is, IMHO, automatically suspect when it
     comes to doing anything technical, such as setting a clock."