Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: OpenBSD rootkit
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: OpenBSD rootkit
  • From: Mark Ruth <[EMAIL PROTECTED]>
  • Date: Tue, 16 Jul 2002 17:21:24 +0200
.
 
I would rather call this a backdoor, except the fact you can find 
some other modified progs. like ps, ls, ... or at least a kernel module.
There's a lil diff between a rootkit and a trojaned sshd.

regards

> 
> 
> Hello.
> 
> Recently one of my OpenBSD 3.0 boxes got compromised. The 
> attacker used OpenSSH exploit and installed trojaned sshd 
> binary. There were obvious signs of compromise:
> 
> <[EMAIL PROTECTED]:/root:251># ls -al /usr/sbin/sshd
> -rwxr-xr-x  1 root  wheel  966656 Oct 18  2001 
> /usr/sbin/sshd* <[EMAIL PROTECTED]:/root:252># md5 /usr/sbin/sshd 
> MD5 (/usr/sbin/sshd) = 1d133d59406c1e3d51fbdaed69ceb83d 
> <[EMAIL PROTECTED]:/root:253># ldd /usr/sbin/sshd
> ldd: /usr/sbin/sshd: not a dynamic executable 
> <[EMAIL PROTECTED]:/root:254># strings /usr/sbin/sshd | grep 
> OpenSSH_3 OpenSSH_3.4
> 
> 1) Installed version is 3.4, but OpenBSD 3.0 ships with 3.0. 
> File modification date is earlier than 3.4 release date.
> 
> 2) Binary is statically linked, therefore much larger than 
> original sshd.
> 
> 3) It was installed with other perms (0755) than original one (0555). 
> 
> I've compared good OpenSSH 3.4 binary with compromised one 
> and found the following:
> 
> --- s1	Sun Jul 14 08:48:17 2002
> +++ s2	Sun Jul 14 08:48:26 2002
> @@ -6,9 +6,10 @@
> -@(#)$OpenBSD: sshd.c,v 1.239.2.3 2002/06/26 15:30:39 jason Exp $
> +grOet2CS62G4k
> +@(#)$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $
> [...]
> -nobody
> +daemon
> [...]
> +/etc/sshd_config
> [...]
> -Connection refused by tcp wrapper
> -libwrap refuse returns
> [...]
> -/usr/src/usr.bin/ssh/sshd/../sshd.c
> +/tmp_mnt/killer/home/FLOYD/src/usr.bin/bad/sshd/../sshd.c
> [...]
> 
> Full diff output can be found at:
> 
http://www.frasunek.com/sshd_diff.gz

And compromised sshd binary:

http://www.frasunek.com/sshd_rooted.gz

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: [EMAIL PROTECTED] ** PGP: D48684904685DF43EA93AFA13BE170BF *

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.