Security Basics mailing list archives
Re: SSH Trojans
From: Jim Mellander <jmellander () lbl gov>
Date: Tue, 30 Jun 2009 14:34:55 -0700
Daniel Hood wrote:
List, Im looking into SSH Trojans, just a general understanding of them so I can hopefully someday tell the difference between an SSH Trojan and the rear end of my heel and not have to make stupid "AM I HAX0RED?!?" forum posts. But after a couple of hours of googling though, I can't seem to turn up any traces of actual SSH Trojans. I've found SSH Trojan v.1.x but thats like 1999-ish. Are there any SSH Trojans still around? Say created after 2005-ish? If so, what are their names? I'm not sure if its because I typed the wrong thing into Google and thus pissed it off, but I just cant seem to find any actual examples, to have a play around with.
Well, I've seen quite a few in my day. Don't know the names, but have seen a number of hackers replace the sshd binaries on hacked system with ones that either: 1. Log sniffed credentials to a file 2. Exfiltrate via stealthy connection to remote host 3. Backdoor access - special account and or password built into sshd binary giving instant root.... Checking timestamp on sshd and running strings on it could be useful.
Also, my other question to ask is "How often are SSH-based Trojans, seen in the wild?". What I mean by that is: Does every server your ever performed forensics on contain an SSH Trojan or is it like 4 - 5 maximum out of your career?
15-20 in the last 8 years.
Thanks, Daniel ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
-- Jim Mellander Incident Response Manager Computer Protection Program Lawrence Berkeley National Laboratory (510) 486-7204 The reason you are having computer problems is: knot in cables caused data stream to become twisted and kinked ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: SSH Trojans Jim Mellander (Jul 02)