Re: OpenBSD rootkit

From: Mark Ruth (Mark.Ruthat_private)
Date: Mon Jul 15 2002 - 23:44:01 PDT

Next message: Liu Die Yu: "CSS(Cross-Site Scripting) at digitalid.verisign.com, www.bbb.org & www.truste.org."

Previous message: Adam [wp-ckkl]: "Re: Remote ICQ Sound Desactivation"
Maybe in reply to: Przemyslaw Frasunek: "OpenBSD rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I would rather call this a backdoor, except the fact you can find 
some other modified progs. like ps, ls, ... or at least a kernel module.
There's a lil diff between a rootkit and a trojaned sshd.

regards

> 
> 
> Hello.
> 
> Recently one of my OpenBSD 3.0 boxes got compromised. The 
> attacker used OpenSSH exploit and installed trojaned sshd 
> binary. There were obvious signs of compromise:
> 
> <root@svrtr:/root:251># ls -al /usr/sbin/sshd
> -rwxr-xr-x  1 root  wheel  966656 Oct 18  2001 
> /usr/sbin/sshd* <root@svrtr:/root:252># md5 /usr/sbin/sshd 
> MD5 (/usr/sbin/sshd) = 1d133d59406c1e3d51fbdaed69ceb83d 
> <root@svrtr:/root:253># ldd /usr/sbin/sshd
> ldd: /usr/sbin/sshd: not a dynamic executable 
> <root@svrtr:/root:254># strings /usr/sbin/sshd | grep 
> OpenSSH_3 OpenSSH_3.4
> 
> 1) Installed version is 3.4, but OpenBSD 3.0 ships with 3.0. 
> File modification date is earlier than 3.4 release date.
> 
> 2) Binary is statically linked, therefore much larger than 
> original sshd.
> 
> 3) It was installed with other perms (0755) than original one (0555). 
> 
> I've compared good OpenSSH 3.4 binary with compromised one 
> and found the following:
> 
> --- s1	Sun Jul 14 08:48:17 2002
> +++ s2	Sun Jul 14 08:48:26 2002
> @@ -6,9 +6,10 @@
> -@(#)$OpenBSD: sshd.c,v 1.239.2.3 2002/06/26 15:30:39 jason Exp $
> +grOet2CS62G4k
> +@(#)$OpenBSD: sshd.c,v 1.255 2002/06/30 21:59:45 deraadt Exp $
> [...]
> -nobody
> +daemon
> [...]
> +/etc/sshd_config
> [...]
> -Connection refused by tcp wrapper
> -libwrap refuse returns
> [...]
> -/usr/src/usr.bin/ssh/sshd/../sshd.c
> +/tmp_mnt/killer/home/FLOYD/src/usr.bin/bad/sshd/../sshd.c
> [...]
> 
> Full diff output can be found at:
> 
http://www.frasunek.com/sshd_diff.gz

And compromised sshd binary:

http://www.frasunek.com/sshd_rooted.gz

-- 
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE *
* Inet: przemyslawat_private ** PGP: D48684904685DF43EA93AFA13BE170BF *

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more
information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Liu Die Yu: "CSS(Cross-Site Scripting) at digitalid.verisign.com, www.bbb.org & www.truste.org."
Previous message: Adam [wp-ckkl]: "Re: Remote ICQ Sound Desactivation"
Maybe in reply to: Przemyslaw Frasunek: "OpenBSD rootkit"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 08:21:27 PDT