Hello. Recently one of my OpenBSD 3.0 boxes got compromised. The attacker used OpenSSH exploit and installed trojaned sshd binary. There were obvious signs of compromise: <root@svrtr:/root:251># ls -al /usr/sbin/sshd -rwxr-xr-x 1 root wheel 966656 Oct 18 2001 /usr/sbin/sshd* <root@svrtr:/root:252># md5 /usr/sbin/sshd MD5 (/usr/sbin/sshd) = 1d133d59406c1e3d51fbdaed69ceb83d <root@svrtr:/root:253># ldd /usr/sbin/sshd ldd: /usr/sbin/sshd: not a dynamic executable <root@svrtr:/root:254># strings /usr/sbin/sshd | grep OpenSSH_3 OpenSSH_3.4 1) Installed version is 3.4, but OpenBSD 3.0 ships with 3.0. File modification date is earlier than 3.4 release date. 2) Binary is statically linked, therefore much larger than original sshd. 3) It was installed with other perms (0755) than original one (0555). I've compared good OpenSSH 3.4 binary with compromised one and found the following: --- s1 Sun Jul 14 08:48:17 2002 +++ s2 Sun Jul 14 08:48:26 2002 @@ -6,9 +6,10 @@ -@(#)$OpenBSD: sshd.c,v 1.239.2.3 2002/06/26 15:30:39 jason Exp $ +grOet2CS62G4k +@(#)$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $ [...] -nobody +daemon [...] +/etc/sshd_config [...] -Connection refused by tcp wrapper -libwrap refuse returns [...] -/usr/src/usr.bin/ssh/sshd/../sshd.c +/tmp_mnt/killer/home/FLOYD/src/usr.bin/bad/sshd/../sshd.c [...] Full diff output can be found at: http://www.frasunek.com/sshd_diff.gz And compromised sshd binary: http://www.frasunek.com/sshd_rooted.gz -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF * ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 15 2002 - 08:31:28 PDT