On Mar 31, 12:42pm, Joe Pruett wrote:
> Subject: ssh trojans
> i just wanted to send out a flare that there are ssh (and telnet) trojans
> out there that capture password info into:
> /usr/lib/locale/su/LC_TIME/{date,time}.h
>
> the sshd program also gets replaced, and probably just has a backdoor
> access method.
>-- End of excerpt from Joe Pruett
I came across one in a recent breakin at another site. It was a backdoor
hack to sshd and was claimed to have been written in Jan 1999 by MagicFX.
It allows setting up a username (any one you want to pick) and allows
root access by that user when connecting via "ssh -l <username>". It also
does not log the connection. It's only about a 10 line patch to the source.
And it didn't do any password capturing or harvesting.
There was no way to determine if the sshd was trojaned unless you were
able to compare timestamp or file size. Of course if they were running
tripwire it would have caught this right away.
--
James J. Barlow <[EMAIL PROTECTED]>
System Engineer
National Center for Supercomputing Applications
605 East Springfield Avenue Voice : (217)244-6403
Champaign, IL 61820 Cell : (217)840-0601
http://www.ncsa.uiuc.edu/People/jbarlow Fax : (217)244-1987
