Re: chkrootkit reporting sshd vulnerable?
From: nickd@nospam.demon.co.ukDate: 01/03/02
- Previous message: Richard E. Silverman: "Re: How do I add a proxy to SSH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: nickd@nospam.demon.co.uk Date: Thu, 03 Jan 2002 01:03:02 GMT
Henri Karrenbeld <ishtar@cal044202.student.utwente.nl> wrote:
> Doctor Zen <hidden@from.spammers.net> writes:
>
<snip>
>>I was just a little worried about this, I ran chkrootkit in expert mode (ha
>>ha, me, an expert?, ha ha) and it gave the strings from sshd but after
>>sifting through hundreds of pages I didn't spot anything untoward, not that
>>I'd really know what to look for apart from anything obvious like "warez
>>dude" or something like that...
>
>>Might be a bug in chkrootkit or something to worry about?
>
> Okay, this is the deal as far as I have figured it out:
>
> Some of chkrootkit works by running the 'strings' command on certain programs
> (e.g. sshd and sshd2) and then 'grep'-ing for various known rootkit string
> patterns.
>
> One of those patterns, being a pre-compiled password in a trojan sshd2 version,
> is '^1234$' (a line containing 1234 only). No problem here, I guess there might
> be a trojan out there with that in it.
<snip>
Also note the thread titled "understanding chkrootkit: sshd section" in
comp.os.linux.security, comp.security.unix and comp.unix.admin
-- "Anyone with the naivety to run IIS is, IMHO, automatically suspect when it comes to doing anything technical, such as setting a clock."
- Next message: Akop Pogosian: "Re: OpenSSH 2.9p2: ssh-keygen bus errors"
- Previous message: Richard E. Silverman: "Re: How do I add a proxy to SSH"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
