Re: OpenBSD rootkit

From: Mark Ruth (Mark.Ruthat_private)
Date: Mon Jul 15 2002 - 23:44:01 PDT

  • Next message: Markus Friedl: "Re: OpenBSD rootkit"

    I would rather call this a backdoor, except the fact you can find 
    some other modified progs. like ps, ls, ... or at least a kernel module.
    There's a lil diff between a rootkit and a trojaned sshd.
    
    regards
    
    > 
    > 
    > Hello.
    > 
    > Recently one of my OpenBSD 3.0 boxes got compromised. The 
    > attacker used OpenSSH exploit and installed trojaned sshd 
    > binary. There were obvious signs of compromise:
    > 
    > <root@svrtr:/root:251># ls -al /usr/sbin/sshd
    > -rwxr-xr-x  1 root  wheel  966656 Oct 18  2001 
    > /usr/sbin/sshd* <root@svrtr:/root:252># md5 /usr/sbin/sshd 
    > MD5 (/usr/sbin/sshd) = 1d133d59406c1e3d51fbdaed69ceb83d 
    > <root@svrtr:/root:253># ldd /usr/sbin/sshd
    > ldd: /usr/sbin/sshd: not a dynamic executable 
    > <root@svrtr:/root:254># strings /usr/sbin/sshd | grep 
    > OpenSSH_3 OpenSSH_3.4
    > 
    > 1) Installed version is 3.4, but OpenBSD 3.0 ships with 3.0. 
    > File modification date is earlier than 3.4 release date.
    > 
    > 2) Binary is statically linked, therefore much larger than 
    > original sshd.
    > 
    > 3) It was installed with other perms (0755) than original one (0555). 
    > 
    > I've compared good OpenSSH 3.4 binary with compromised one 
    > and found the following:
    > 
    > --- s1	Sun Jul 14 08:48:17 2002
    > +++ s2	Sun Jul 14 08:48:26 2002
    > @@ -6,9 +6,10 @@
    > -@(#)$OpenBSD: sshd.c,v 1.239.2.3 2002/06/26 15:30:39 jason Exp $
    > +grOet2CS62G4k
    > +@(#)$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $
    > [...]
    > -nobody
    > +daemon
    > [...]
    > +/etc/sshd_config
    > [...]
    > -Connection refused by tcp wrapper
    > -libwrap refuse returns
    > [...]
    > -/usr/src/usr.bin/ssh/sshd/../sshd.c
    > +/tmp_mnt/killer/home/FLOYD/src/usr.bin/bad/sshd/../sshd.c
    > [...]
    > 
    > Full diff output can be found at:
    > 
    http://www.frasunek.com/sshd_diff.gz
    
    And compromised sshd binary:
    
    http://www.frasunek.com/sshd_rooted.gz
    
    -- 
    * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
    * Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF *
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service. For more
    information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    -- 
    GMX - Die Kommunikationsplattform im Internet.
    http://www.gmx.net
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 08:21:22 PDT