Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: SSH Trojans

From: Jim Mellander <jmellander () lbl gov>
Date: Tue, 30 Jun 2009 14:34:55 -0700
Daniel Hood wrote:

List,

Im looking into SSH Trojans, just a general understanding of them so I
can hopefully someday tell the difference between an SSH Trojan and
the rear end of my heel and not have to make stupid "AM I HAX0RED?!?"
forum posts. But after a couple of hours of googling though, I can't
seem to turn up any traces of actual SSH Trojans. I've found SSH
Trojan v.1.x but thats like 1999-ish. Are there any SSH Trojans still
around? Say created after 2005-ish? If so, what are their names? I'm
not sure if its because I typed the wrong thing into Google and thus
pissed it off, but I just cant seem to find any actual examples, to
have a play around with.


Well, I've seen quite a few in my day.  Don't know the names, but have
seen a number of hackers replace the sshd binaries on hacked system with
ones that either:

1. Log sniffed credentials to a file
2. Exfiltrate via stealthy connection to remote host
3. Backdoor access - special account and or password built into sshd
binary giving instant root....

Checking timestamp on sshd and running strings on it could be useful.




Also, my other question to ask is "How often are SSH-based Trojans,
seen in the wild?". What I mean by that is: Does every server your
ever performed forensics on contain an SSH Trojan or is it like 4 - 5
maximum out of your career?


15-20 in the last 8 years.



Thanks,

Daniel

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------





-- 
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

The reason you are having computer problems is:

knot in cables caused data stream to become twisted and kinked

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: