Forgot your password?
typodupeerror
Security Encryption

Trojanized SSH Daemon In the Wild, Sending Passwords To Iceland 171

Posted by timothy
from the in-iceland-they-get-massages dept.
An anonymous reader writes "It is no secret that SSH binaries can be backdoored. It is nonetheless interesting to see analysis of real cases where a trojanized version of the daemon are found in the wild. In this case, the binary not only lets the attacker log onto the server if he has a hardcoded password, the attacker is also granted access if he/she has the right SSH key. The backdoor also logs all username and passwords to exfiltrate them to a server hosted in Iceland."
This discussion has been archived. No new comments can be posted.

Trojanized SSH Daemon In the Wild, Sending Passwords To Iceland

Comments Filter:
  • by Penguinshit (591885) on Saturday January 26, 2013 @01:16AM (#42698905) Homepage Journal
    Somebody had to say it.
    • by ghmh (73679) on Saturday January 26, 2013 @02:07AM (#42699023)
      And until now it was oh, so quiet!
    • I only install from sources you insensitive clod!

      • by cheekyboy (598084)

        Or you could source two binaries from two diff repo servers in two diff countries, and only accept the install if they both are identical.

        • by smash (1351)
          Because the source server that feeds both could NEVER be compromised.
      • by smash (1351)
        Unless you're auditing said sources, you're no better off than installing binaries.
        • Re:I use Gentoo (Score:5, Informative)

          by miknix (1047580) on Saturday January 26, 2013 @09:34AM (#42700299) Homepage

          Unless you're auditing said sources, you're no better off than installing binaries.

          You know that Gentoo checks the SHA256 SHA512 and WHIRLPOOL digests of the downloaded sources before compiling right? You also know that the digests stored in Gentoo's repository are signed using a PGP key of the package maintainer, right?

          So can you please explain me again why I need to audit such sources? Sure sources can be compromised at upstream's servers and Gentoo maintainers can also make mistakes but this is not what TFA is about.

          • by smash (1351)
            Yeah, and other operating systems do hashes for their binaries, too.
  • by 93 Escort Wagon (326346) on Saturday January 26, 2013 @01:21AM (#42698911)

    I'd think this was a story about Cisco gear from not that long ago.

    •     I was asked to clean some exploited servers in the wild that had compromised SSH binaries in them. This was about 10 years or so ago, so this is really a not current news story.

          Thankfully most script kiddies are exactly that, and their script left the source on the machine for me to review. Why? I guess to compile on the machine to make sure it used the local libraries. They generally didn't have passwords hard coded though, they used SSH keys. The passwords they stole were usually stored locally in a file, and sent to somewhere in eastern Europe or Asia. I have no idea if that was by the script kiddie design or the person who rolled it up. It's a pretty slick trick though. You get the script kiddies to gather intel from compromised machines, and feed it back to you. Now you have access to every machine the script kiddies compromised.

          The funny part about most of the cleanups was, the version of SSH they put on was newer than the remotely exploitable version they got in with.

       

      • by pipatron (966506) <pipatron@gmail.com> on Saturday January 26, 2013 @02:42AM (#42699131) Homepage

        I was asked to clean some exploited servers in the wild that had compromised SSH binaries in them. This was about 10 years or so ago, so this is really a not current news story.

        Someone got murdered about 10 years ago, so there's no point reporting about current murders.

        Or what is your point exactly?

      • by OwenT (2778847)
        Apparently it's quite common for attackers to actually patch the security holes they used to get in, once they've installed their backdoors. Don't want someone else getting in the same way, after all...
      • by maxwell demon (590494) on Saturday January 26, 2013 @05:52AM (#42699577) Journal

        Thankfully most script kiddies are exactly that, and their script left the source on the machine for me to review. Why?

        Maybe it was an Open Source client, and they had to give you the source code to comply? :-)

  • Tip (Score:5, Informative)

    by detritus. (46421) on Saturday January 26, 2013 @01:29AM (#42698929)

    I cleaned up an a backdoored Debian system after discovering md5 sum mismatches on all the ssh binaries from the original packages some time ago.

    debsums is a nice utility to check this for you, granted that the attackers didn't modify the signing keys and installed their own package.

    • Re: (Score:2, Insightful)

      by MightyMartian (840721)

      So how is a compromised ssh binary getting on Debian?

      • Simple: It snuck in the back door.

      • Re:Tip (Score:4, Informative)

        by Nerdfest (867930) on Saturday January 26, 2013 @02:04AM (#42699015)

        Poor passwords, other infected (non-repo) packages, exploits in services (like apache, etc) installed with too many permissions, etc.

      • by NotBorg (829820)
        Yeah, I hate most Linux exploit articles. They always seem to be about what happens after the machine was rooted. Binaries changed out, configurations changed, permissions set, yadi yadi yada... They never seem to be about how they got rooted in the first place.
        • Mostly weak passwords/lack of anti-brute-force, Apache vulnerabilities is probably the second most common. Nothing new.

        • That's why ssh is trojaned - it's how they got in. Once they get into one box some other way, the trojan gets them into every box a user connects to via ssh. So it spreads like a virus. At some point, an admin with access to a lot of machines, like a hosting company admin, uses ssh to rsync / scp to their main machine. Then the bad guys get access to every machine hosted there.
        • All the machines I cleaned up got hacked due to some wise guys who thought that using 4 letter passwords were kewl.
        • by gweihir (88907)

          Yeah, I hate most Linux exploit articles. They always seem to be about what happens after the machine was rooted. Binaries changed out, configurations changed, permissions set, yadi yadi yada... They never seem to be about how they got rooted in the first place.

          Unlike the MS world where typically some software maker (and often MS itself) has screwed up, Linux tends to be rooted because some administrator or user got careless. That is not very interesting and the details do not matter.

    • Re:Tip (Score:5, Insightful)

      by 19thNervousBreakdown (768619) <davec-slashdot@l ... et minus caffein> on Saturday January 26, 2013 @02:50AM (#42699155) Homepage

      You can never clean up a system. MD5s help, but you know what one of the first things I'd do when rooting a system is? After making sure my rootkit didn't show up in directory listings, I'd patch md5, shasum, perl, and ruby to return the exact MD5 I wanted for every file I defined a magic string for.

      You gonna catch me on some systems? Sure. You gonna catch me on an extremely common distro like Debian without installing out-of-tree software? Probably not.

      • Re:Tip (Score:5, Insightful)

        by DarwinSurvivor (1752106) on Saturday January 26, 2013 @04:14AM (#42699371)
        Rule #1 of investigating a compromised system is you don't use the tools on the compromised system.
        • Rule #1 of investigating a compromised system is you don't use the tools on the compromised system.

          Security is a process. Running a scanner on a compromised system has no guarantee of finding out that the system is compromised. But 98% of the time it will work just fine - these systems are usually compromised by script kiddie tools that don't spend a great deal of effort to find the rootkit scanners.

          I suppose it would be better if somebody came up with a well-developed package for cross-scanning systems o

          • by jcdr (178250)

            I suppose it would be better if somebody came up with a well-developed package for cross-scanning systems over shared storage (does it already exist?) but that's also only going to reduce your 98% to 98.5%. I suppose all you need to really do is to validate the integrity of the host system's scanner (or rpm or dpkg, etc.) but then again the remote system access method could also be compromised (today it's TLA stuff to compromise e.g. nfsd such that it will only return the wrong (but valid) md5sum and sha1sum and [randomhashsum] for only the scanners you might check for) but it's not likely.

            Taking down every system on a frequent schedule for an offline scan would be a good idea but then again the BIOS could be compromised and you start to run into the collision of business needs and absolute security.

            I use NFS root internet servers connected to a intranet NFS server. On the last I use rsync to do backup and detection of any files change. The only permanent memory on the internet servers machines are the BIOS, ok, but I have yet to see an exploit that hack the BIOS in a way to compromise a TFTP + NFS boot without any detectable trace from the NFS server point of view. If your concern really go into this level of paranoia, then you can simply hack the write protection signal of your BIOS memory chip (see

        • by smpoole7 (1467717)

          Bootable CD or DVD with tools on it. Worth its weight in gold.

      • Man, you would run md5sum on the actual compromised box??

        Why not do it from a ISO booted linux, and nfs share the whole box , so you can sum it from the outside.

        What you really need is all binaryies libs running of a partition that is read only. Kind of like android.

      • by jcdr (178250)

        Yes, "out-of-tree" is the key.

        I have experimented a very successful way to solve the problem: Internet connected servers using NFS root from an intranet NFS server. All the machines are using a standard distribution. The intranet NFS server handle the backup of all the internet servers using rsync. It's really easy and efficient as it's just moving data internally of the RAID array. It's easy to detect unexpected files change, to compare internet machines binaries with the intranet machine binaries, and to

    • Re:Tip (Score:5, Funny)

      by davester666 (731373) on Saturday January 26, 2013 @03:12AM (#42699203) Journal

      If there is one thing I truly dislike, it's getting backdoored.

  • Effective (Score:5, Interesting)

    by Anonymous Coward on Saturday January 26, 2013 @02:00AM (#42698999)

    I myself have set up modified versions of the sshd dameon/ssh client on various rooted machines in the past (mine was simply allowing root login without logging anything with a hardcoded password + writing logins/hosts/passwords, after encryption, deep inside a fake shared library on the system - this took less than an hour to implement in the openssh source).

    In all cases, despite the extreme simplicity of this mechanism, it was very, very easy to then gain access to a lot of other boxes on the network, and eventually to all the network itself. Just wait for the clueless sysadmin to log in (dumping his pass), then wait for him to use ssh to log in to another box in the network (dumping his pass as well). Then install the modified version of the daemon/client on to this new box. Rince, repeat.

    It is in a way terrifying to see how most sysadmins are clueless. So, IMHO, a few measures that should be compulsory on any network:

    - Do not allow write access to any essential binaries (like sshd, ls, and so on). If you have to, make sure you have a stealthy daemon checking the hashes of all critical binaries at regular intervals to make sure they have not been tampered with.
    - Never, ever, log in to a server in your network from another server in the same network. Use port redirection, then log in from your initial box.
    - Always use a dedicated server for system logs (syslog handles that very easily - sending logs over the network). That way, the logs of the initial system compromise will not be deletable. Do not ever log in remotely to this dedicated machine.
    - After the initial system install, make a dump of the syscalls table of your kernel. Check it regularly to make sure it has not been tampered with (kernelspace rootkits usually hijack this table).
    - ...there are also other ways to implement an effective kernelspace rootkit, like VFS hijacking, so make sure you disable modules loading in the kernel before compiling (and check the hash of the kernel image itself regularly as well).

    Those are the main sane measures that come to mind (this is all based on real life experience intruding into large companies/laboratories/university systems, without ever having been detected). Posting anonymously for obvious reasons.

    • Re:Effective (Score:4, Informative)

      by Gaygirlie (1657131) <gaygirlie.hotmail@com> on Saturday January 26, 2013 @02:33AM (#42699115) Homepage

      - Do not allow write access to any essential binaries (like sshd, ls, and so on). If you have to, make sure you have a stealthy daemon checking the hashes of all critical binaries at regular intervals to make sure they have not been tampered with.

      I'm sure there are plenty of other such systems, but Tripwire ( http://www.tripwire.org/ [tripwire.org] ) is one of the more popular tools to keep a check on your system and warn you immediately if it detects tampering attempts.

      - After the initial system install, make a dump of the syscalls table of your kernel. Check it regularly to make sure it has not been tampered with (kernelspace rootkits usually hijack this table).

      AFAIK Tripwire handles this, too.

    • Also, don't use passwords for ssh.
      • Personally I think a password is a very good idea if combined with a key. If a laptop gets stolen the thief can log in directly with the stolen key saved on the laptop. If they have to work out a password as well they only get what is on the laptop.
        • by Opportunist (166417) on Saturday January 26, 2013 @05:18AM (#42699497)

          Security is usually one of three things: Something you know (password), something you have (key, token) or something you are (biometry). Alone, none of them is really a big security obstacle, at the very least you should combine two of them. If you're paranoid, require all three.

          Using two of the same class is patently useless, as practice has shown. If one password can be sniffed, so can two and more. And people tend to store their keys and dongles and other work related gadgets in similar places (if you get their keys, you usually also get their ID dongles), so if one is gone, usually they are all gone. And I guess I needn't explain why fingerprinting and retina scans aren't really a sensible combo either (aside from the cost).

          And preferably request them through two separate and independent channels. It's amazing how rarely this rather essential minimum of security is enforced.

        • by segedunum (883035)
          That's what SSH key phrases are for.
          • by dbIII (701233)
            To a non-sysadmin what they see during the ssh login process is a request for a password even when it is really the key phrase for the key. They'll take that "don't use a password" advice above as logging in with keys that have no passphrase.
            What I wrote above should be obvious but I seem to have attracted five people that have decided I'm a pedant so want to get pedantic about me using "password" to make the my post easier to read.
        • by smash (1351)
          Passphrases on SSH keys are not the same as SSH passwords. They don't go over the wire.
          • There is no way to enforce this, except to scan people's home directories for unsecured keys. It's also awkward if they are using "ssh-agent" or other passprase unlocking tools on a shared host, such as a server where I have administrative access or when someone has set up software to use passphrase-free keys as part of a regularly scheduled task, such as a backup system for databases. I've used these approaches to borrow other user's SSH keys when needed, not always with their advance knowledge. (I always

            • by dbIII (701233)

              There is no way to enforce this, except to scan people's home directories for unsecured keys

              And it doesn't help when we get so many people writing "don't use passwords" - so they take that advice to mean not securing their keys :(

        • As others have suggested, I will confirm. Do not use username/password as the authentication method for your ssh server. If you want 2-factor encrypt the private keys or go hardcore with PAM and have them enter one-time codes from a pad or separate comm channel (sms, etc) after the key is verified.
          • by dbIII (701233)
            Just put a password/passphrase on the key as designed and it all works as intended for general use.
            Single factor authentication with a stealable key can be even worse than single factor authentication with a password in some cases.
    • Do not allow write access to any essential binaries

      This makes no sense. Once somebody has root and can write to those binaries you are already fucked and they can change access to anything they like, and then write over it to their hearts content.
      Putting them on read only media sounds like a cool idea but is difficult to implement for anything other than the short term and can be circumvented if somebody roots your box anyway. There's the script kiddie toy of changing file attributes (and thus announcing

      • by segedunum (883035)

        This makes no sense. Once somebody has root and can write to those binaries you are already fucked and they can change access to anything they like, and then write over it to their hearts content.

        Quite right. Binaries are already write protected from users but if you're root you can do anything.

      • by Junta (36770)
        It might be reasonable to map most system binaries to an nfs share where root is mapped to nobody...
        • by dbIII (701233)
          Now that's something more sensible than read-only media that's only going to have a short lifetime before you have to change things on it. Of course locking root out from changing the mount point is going to be a challenge in both cases.
        • by jcdr (178250)

          Simply use NFS root for the internet server. It's reliable, easy to backup, and fun to manage.

    • old school: send remote syslog to a printer. real paper printer.

      can't rm -rf paper; at least not remotely.

  • The article says "...discovered on compromised servers."

    If they are not distro(i.e. ubuntu, redhat,centos, etc.) servers, or openssh servers, this is a non-story. I can create a random domain, compile a version of openssh to sends passwords to me and host it on my server as an official ssh binary.

    If I install stock wordpress with access to the file, would that then count a compromised?

  • I never use passwords with ssh. If ssh asks me for a password, I know something is wrong. I made this policy decision because of the endless attempts to log into my machine from all over the world. It was either something like a yubikey, or only using public key authentication. I went for the public key authentication.

    • Re: (Score:3, Funny)

      by maxwell demon (590494)

      So you don't password-protect your private key?

  • I may have missed it but was this a binary package for a specific distro (on their own servers) or a binary on an untrusted server not attached to any specific distro?

The bogosity meter just pegged.

Working...