Trojanized SSH Daemon In the Wild, Sending Passwords To Iceland - Slashdot

Slashdot

Trojanized SSH Daemon In the Wild, Sending Passwords To Iceland 171

Posted by timothy on Saturday January 26, 2013 @02:01AM
from the in-iceland-they-get-massages dept.

An anonymous reader writes "It is no secret that SSH binaries can be backdoored. It is nonetheless interesting to see analysis of real cases where a trojanized version of the daemon are found in the wild. In this case, the binary not only lets the attacker log onto the server if he has a hardcoded password, the attacker is also granted access if he/she has the right SSH key. The backdoor also logs all username and passwords to exfiltrate them to a server hosted in Iceland."

This discussion has been archived. No new comments can be posted.

Trojanized SSH Daemon In the Wild, Sending Passwords To Iceland

Search 171 Comments Log In/Create an Account

Comments Filter:

Re:Iceland? How hard could it be? (Score:5, Insightful)

by WWJohnBrowningDo (2792397) writes: on Saturday January 26, 2013 @02:21AM (#42698915)

Just because the server is in Iceland doesn't mean the perpetrator is.

In all likelihood the server is just another compromised machine.

Parent Share
twitter facebook linkedin
Re:Tip (Score:2, Insightful)

by MightyMartian (840721) writes: on Saturday January 26, 2013 @02:32AM (#42698931) Journal

So how is a compromised ssh binary getting on Debian?

Parent Share
twitter facebook linkedin
Re:If it weren't for the mention of Iceland (Score:4, Insightful)

by pipatron (966506) writes: <pipatron@gmail.com> on Saturday January 26, 2013 @03:42AM (#42699131) Homepage

I was asked to clean some exploited servers in the wild that had compromised SSH binaries in them. This was about 10 years or so ago, so this is really a not current news story.
Someone got murdered about 10 years ago, so there's no point reporting about current murders.
Or what is your point exactly?

Parent Share
twitter facebook linkedin
Re:Tip (Score:5, Insightful)

by 19thNervousBreakdown (768619) writes: <davec-slashdot@@@lepertheory...net> on Saturday January 26, 2013 @03:50AM (#42699155) Homepage

You can never clean up a system. MD5s help, but you know what one of the first things I'd do when rooting a system is? After making sure my rootkit didn't show up in directory listings, I'd patch md5, shasum, perl, and ruby to return the exact MD5 I wanted for every file I defined a magic string for.
You gonna catch me on some systems? Sure. You gonna catch me on an extremely common distro like Debian without installing out-of-tree software? Probably not.

Parent Share
twitter facebook linkedin
Re:Tip (Score:5, Insightful)

by DarwinSurvivor (1752106) writes: on Saturday January 26, 2013 @05:14AM (#42699371)

Rule #1 of investigating a compromised system is you don't use the tools on the compromised system.

Parent Share
twitter facebook linkedin
Re:Tip (Score:1, Insightful)

by Anonymous Coward writes: on Saturday January 26, 2013 @05:17AM (#42699377)

Must have come from a Windows machine, coz Linux is so secure... ;)

Parent Share
twitter facebook linkedin
Duh, run md5sum from external machine (Score:3, Insightful)

by cheekyboy (598084) writes: on Saturday January 26, 2013 @09:19AM (#42699945) Homepage Journal

Man, you would run md5sum on the actual compromised box??
Why not do it from a ISO booted linux, and nfs share the whole box , so you can sum it from the outside.
What you really need is all binaryies libs running of a partition that is read only. Kind of like android.

Parent Share
twitter facebook linkedin

There may be more comments in this discussion. Without JavaScript enabled, you might want to turn on Classic Discussion System in your preferences instead.

Related Links Top of the: day, week, month.

546 commentsChanging the Ratio of Women In Tech: How Etsy Did It
334 commentsLast Forking Warning For Bitcoin
274 commentsBotched Security Update Cripples Thousands of Computers
234 commentsFedora 19 To Stop Masking Passwords
211 commentsMitigating Password Re-Use From the Other End

"And do you think (fop that I am) that I could be the Scarlet Pumpernickel?" -- Looney Tunes, The Scarlet Pumpernickel (1950, Chuck Jones)