OpenBSD rootkit

From: Przemyslaw Frasunek (venglinat_private)
Date: Sat Jul 13 2002 - 23:55:07 PDT

  • Next message: gs-list: "Unknown/Weird Traffic?"

    Hello.
    
    Recently one of my OpenBSD 3.0 boxes got compromised. The attacker
    used OpenSSH exploit and installed trojaned sshd binary. There were
    obvious signs of compromise:
    
    <root@svrtr:/root:251># ls -al /usr/sbin/sshd
    -rwxr-xr-x  1 root  wheel  966656 Oct 18  2001 /usr/sbin/sshd*
    <root@svrtr:/root:252># md5 /usr/sbin/sshd
    MD5 (/usr/sbin/sshd) = 1d133d59406c1e3d51fbdaed69ceb83d
    <root@svrtr:/root:253># ldd /usr/sbin/sshd
    ldd: /usr/sbin/sshd: not a dynamic executable
    <root@svrtr:/root:254># strings /usr/sbin/sshd | grep OpenSSH_3
    OpenSSH_3.4
    
    1) Installed version is 3.4, but OpenBSD 3.0 ships with 3.0. File
    modification date is earlier than 3.4 release date.
    
    2) Binary is statically linked, therefore much larger than original sshd.
    
    3) It was installed with other perms (0755) than original one (0555). 
    
    I've compared good OpenSSH 3.4 binary with compromised one and found
    the following:
    
    --- s1	Sun Jul 14 08:48:17 2002
    +++ s2	Sun Jul 14 08:48:26 2002
    @@ -6,9 +6,10 @@
    -@(#)$OpenBSD: sshd.c,v 1.239.2.3 2002/06/26 15:30:39 jason Exp $
    +grOet2CS62G4k
    +@(#)$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $
    [...]
    -nobody
    +daemon
    [...]
    +/etc/sshd_config
    [...]
    -Connection refused by tcp wrapper
    -libwrap refuse returns
    [...]
    -/usr/src/usr.bin/ssh/sshd/../sshd.c
    +/tmp_mnt/killer/home/FLOYD/src/usr.bin/bad/sshd/../sshd.c
    [...]
    
    Full diff output can be found at:
    
    http://www.frasunek.com/sshd_diff.gz
    
    And compromised sshd binary:
    
    http://www.frasunek.com/sshd_rooted.gz
    
    -- 
    * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
    * Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF *
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 15 2002 - 08:31:24 PDT