Trojanized SSH Daemon In the Wild, Sending Passwords To Iceland 171
An anonymous reader writes "It is no secret that SSH binaries can be backdoored. It is nonetheless interesting to see analysis of real cases where a trojanized version of the daemon are found in the wild. In this case, the binary not only lets the attacker log onto the server if he has a hardcoded password, the attacker is also granted access if he/she has the right SSH key. The backdoor also logs all username and passwords to exfiltrate them to a server hosted in Iceland."
Re:Iceland? How hard could it be? (Score:5, Insightful)
In all likelihood the server is just another compromised machine.
Re:Tip (Score:2, Insightful)
So how is a compromised ssh binary getting on Debian?
Re:If it weren't for the mention of Iceland (Score:4, Insightful)
I was asked to clean some exploited servers in the wild that had compromised SSH binaries in them. This was about 10 years or so ago, so this is really a not current news story.
Someone got murdered about 10 years ago, so there's no point reporting about current murders.
Or what is your point exactly?
Re:Tip (Score:5, Insightful)
You can never clean up a system. MD5s help, but you know what one of the first things I'd do when rooting a system is? After making sure my rootkit didn't show up in directory listings, I'd patch md5, shasum, perl, and ruby to return the exact MD5 I wanted for every file I defined a magic string for.
You gonna catch me on some systems? Sure. You gonna catch me on an extremely common distro like Debian without installing out-of-tree software? Probably not.
Re:Tip (Score:5, Insightful)
Re:Tip (Score:1, Insightful)
Duh, run md5sum from external machine (Score:3, Insightful)
Man, you would run md5sum on the actual compromised box??
Why not do it from a ISO booted linux, and nfs share the whole box , so you can sum it from the outside.
What you really need is all binaryies libs running of a partition that is read only. Kind of like android.