Re: SSH password capture

["Yonesy F. Nunez" <yonesy.nunez () NEWSCHOOL EDU>]

Agreed.  SSH keys are stronger than passwords; I'd recommend protecting the
SSH keys with a strong password though, ;).  In the event that you require
automated usage of SSH, harden the device/system that requires this usage to
further prevent these types of exploits.  And not to thread-jack, but what
is everyone else doing to manage system updates in their *nix (and/or
heterogeneous) environments?

Best regards,

Yonesy


--
Yonesy F. Nuñez | THE NEW SCHOOL
Director, Information Security
Office of Information Technology
55 W 13th Street, Rm 705 
New York, NY 10011
P| 212.229.5300 x4728
F| 212.647.8211
E|nunezy () newschool edu



-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andrew Daviel
Sent: Saturday, June 26, 2010 2:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] SSH password capture

We recently found trojan openssh programs on a few machines, busy logging 
passwords in and out. I just wondered if anyone else had been hit by 
this, or had the source code - the one we found had a "SKYNET" ascii-art 
logo embedded in it. I suspect it of having a login backdoor, too, but 
can't prove it. I think they had a user account and privilege esclation 
exploit to get started, then followed some root passwords to get more 
systems, but don't seem to have done anything else to draw attention to 
themselves. An MD5 check against the package manager records found them 
once we started looking.

I've been trying to encourage ssh keys instead of passwords, especially 
for root, after being bitten a few years back, but it's hard - passwords 
seem embedded in the modern psyche.

-- 
Andrew Daviel, TRIUMF, Canada