Re: SSH Trojan found on my system, request more info on identification

• Previous message: Erick Arturo Perez Huemer: "SSH Trojan found on my system, request more info on identification"
• In reply to: Erick Arturo Perez Huemer: "SSH Trojan found on my system, request more info on identification"
• Next in thread: HalbaSus: "Re: SSH Trojan found on my system, request more info on identification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

   Hello,

      Recently, certain OpenSSH's distributions were hacked and trojaned files
   were inserted into the packages. Here is the link from the openssh.org
   site:

      http://www.openssh.org/txt/trojan.adv

   Hope that this helps.

   --Alec Kosky--
   alecat_private



On Wed, 23 Oct 2002 20:55:09 -0500 "Erick Arturo Perez Huemer" <eperezat_private> wrote:

>  
>  Sirs, the attached ssh trojan was found on one of the systems 
>  connected to our network.
>  MD5: 474b2cc161dd428de6226914ba48281f
>  
>  Details:
>  Machine:Linux Mandrake release 8.0 (Traktopel) for i586
>  Primary use: Mail Server with remote admin via SSH.
>  Original SSH server was disabled:  OpenSSH_2.5.2p2
>  Trojan Listen on port 65298 TCP
>  Installed as /usr/sbin/mingetty
>  Banner: SSH-1.5-Dragos's Empire Inc.
>  Chkrootkit -r /usr/sbin detected nothing
>  Chkrootkit -r / detected nothing
>  Chkrootkit -r /usr/sbin/ mingetty detected nothing
>  
>  Lsof Output:
>  [root@mail temp]# lsof -p 23256
>  COMMAND    PID USER   FD   TYPE DEVICE    SIZE NODE NAME
>  mingetty 23256 root  cwd    DIR    3,1     408    2 /
>  mingetty 23256 root  rtd    DIR    3,1     408    2 /
>  mingetty 23256 root  txt    REG    3,6  654387 6455 /usr/sbin/mingetty
>  mingetty 23256 root  mem    REG    3,1  420778   67 /lib/ld-2.2.2.so
>  mingetty 23256 root  mem    REG    3,1   78208   80 
>  /lib/libnsl-2.2.2.so
>  mingetty 23256 root  mem    REG    3,1   21812   74 
>  /lib/libcrypt-2.2.2.so
>  mingetty 23256 root  mem    REG    3,1    8284  102 
>  /lib/libutil-2.2.2.so
>  mingetty 23256 root  mem    REG    3,1 1216268   72 /lib/libc-2.2.2.so
>  mingetty 23256 root    0u   CHR    1,3           62 /dev/null
>  mingetty 23256 root    1u   CHR    1,3           62 /dev/null
>  mingetty 23256 root    2u   CHR    1,3           62 /dev/null
>  mingetty 23256 root    3u   CHR    5,1         4838 /dev/console
>  mingetty 23256 root    4u   CHR    5,1         4838 /dev/console
>  mingetty 23256 root    5u   CHR    5,1         4838 /dev/console
>  mingetty 23256 root    6u  IPv4 122992          TCP *:65298 (LISTEN)
>  mingetty 23256 root   21w  FIFO    0,0           16 pipe
>  [root@mail temp]#
>  
>  Any help will be appreciated to grab further info on this.
> 
> PD. The executablwe is about 650 Kb so I cannot attach it to this
> message. Even a .tar is about 200k, so anyone who wants to see it, email
> me and i wil lsend it..
> Thanks,
>  
>  Erick A. Perez H.
>  
> 
> 
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: HalbaSus: "Re: SSH Trojan found on my system, request more info on identification"
• Previous message: Erick Arturo Perez Huemer: "SSH Trojan found on my system, request more info on identification"
• In reply to: Erick Arturo Perez Huemer: "SSH Trojan found on my system, request more info on identification"
• Next in thread: HalbaSus: "Re: SSH Trojan found on my system, request more info on identification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 16:55:15 PST