Hello, Recently, certain OpenSSH's distributions were hacked and trojaned files were inserted into the packages. Here is the link from the openssh.org site: http://www.openssh.org/txt/trojan.adv Hope that this helps. --Alec Kosky-- alecat_private On Wed, 23 Oct 2002 20:55:09 -0500 "Erick Arturo Perez Huemer" <eperezat_private> wrote: > > Sirs, the attached ssh trojan was found on one of the systems > connected to our network. > MD5: 474b2cc161dd428de6226914ba48281f > > Details: > Machine:Linux Mandrake release 8.0 (Traktopel) for i586 > Primary use: Mail Server with remote admin via SSH. > Original SSH server was disabled: OpenSSH_2.5.2p2 > Trojan Listen on port 65298 TCP > Installed as /usr/sbin/mingetty > Banner: SSH-1.5-Dragos's Empire Inc. > Chkrootkit -r /usr/sbin detected nothing > Chkrootkit -r / detected nothing > Chkrootkit -r /usr/sbin/ mingetty detected nothing > > Lsof Output: > [root@mail temp]# lsof -p 23256 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > mingetty 23256 root cwd DIR 3,1 408 2 / > mingetty 23256 root rtd DIR 3,1 408 2 / > mingetty 23256 root txt REG 3,6 654387 6455 /usr/sbin/mingetty > mingetty 23256 root mem REG 3,1 420778 67 /lib/ld-2.2.2.so > mingetty 23256 root mem REG 3,1 78208 80 > /lib/libnsl-2.2.2.so > mingetty 23256 root mem REG 3,1 21812 74 > /lib/libcrypt-2.2.2.so > mingetty 23256 root mem REG 3,1 8284 102 > /lib/libutil-2.2.2.so > mingetty 23256 root mem REG 3,1 1216268 72 /lib/libc-2.2.2.so > mingetty 23256 root 0u CHR 1,3 62 /dev/null > mingetty 23256 root 1u CHR 1,3 62 /dev/null > mingetty 23256 root 2u CHR 1,3 62 /dev/null > mingetty 23256 root 3u CHR 5,1 4838 /dev/console > mingetty 23256 root 4u CHR 5,1 4838 /dev/console > mingetty 23256 root 5u CHR 5,1 4838 /dev/console > mingetty 23256 root 6u IPv4 122992 TCP *:65298 (LISTEN) > mingetty 23256 root 21w FIFO 0,0 16 pipe > [root@mail temp]# > > Any help will be appreciated to grab further info on this. > > PD. The executablwe is about 650 Kb so I cannot attach it to this > message. Even a .tar is about 200k, so anyone who wants to see it, email > me and i wil lsend it.. > Thanks, > > Erick A. Perez H. > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 29 2002 - 16:55:15 PST