Educause Security Discussion mailing list archives
Re: SSH password capture
From: Andrew Daviel <advax () TRIUMF CA>
Date: Tue, 6 Jul 2010 17:27:17 -0700
On Mon, 28 Jun 2010, Scott Beardsley wrote:
We recently found trojan openssh programs on a few machines, busy logging passwords in and out.Any idea how they got in?
I caught them downloading the toolkit. It looks like linux-sendpage3 fromhttp://www.securityfocus.com/bid/36038/exploit, which I had already suspected but can now confirm. Which works reliably and crash-free across a wide range of kernels and Linux distros updated prior to August 2009. (RedHat 8 through RHEL 5, SUSE, Slackware...) It does leave a trace in syslog, viz. repeated messages "NET: Registered protocol family..", if that is safely logged and someone is paying attention.
The sshd trojan includes a log-free backdoor to root, using a random password generated when the trojan is built. It can be found in the binary if you know where to look. So this guy can hop around the world on non-privileged passwords.
-- Andrew Daviel, TRIUMF, Canada
Current thread:
- Re: SSH password capture Andrew Daviel (Jul 06)