Trojanized SSH Daemon In the Wild, Sending Passwords To Iceland

An anonymous reader writes "It is no secret that SSH binaries can be backdoored. It is nonetheless interesting to see analysis of real cases where a trojanized version of the daemon are found in the wild. In this case, the binary not only lets the attacker log onto the server if he has a hardcoded password, the attacker is also granted access if he/she has the right SSH key. The backdoor also logs all username and passwords to exfiltrate them to a server hosted in Iceland."

SSH Got Bjorked?

[Penguinshit]

Somebody had to say it.

Re:SSH Got Bjorked?

[ghmh]

And until now it was oh, so quiet!

Re:

[drinkypoo]

This is completely normal human behaviour.

Re:

[Penguinshit]

nice...

Re:I use Gentoo

[miknix]

I only install from sources you insensitive clod!

Re:

[cheekyboy]

Or you could source two binaries from two diff repo servers in two diff countries, and only accept the install if they both are identical.

Re:

[smash]

Because the source server that feeds both could NEVER be compromised.

Re:

[smash]

Unless you're auditing said sources, you're no better off than installing binaries.

Re:I use Gentoo

[miknix]

Unless you're auditing said sources, you're no better off than installing binaries.

You know that Gentoo checks the SHA256 SHA512 and WHIRLPOOL digests of the downloaded sources before compiling right? You also know that the digests stored in Gentoo's repository are signed using a PGP key of the package maintainer, right?

So can you please explain me again why I need to audit such sources? Sure sources can be compromised at upstream's servers and Gentoo maintainers can also make mistakes but this is not what TFA is about.

Re:

[smash]

Yeah, and other operating systems do hashes for their binaries, too.

Re:

[miknix]

Everyone replying here seems to be obsessed in comparing binary vs source and totally miss the point. The point is that
Gentoo users do not have the habit of installing binary packages at all, for that reason this trojanized sshd BINARY does not concern us.
Wooooooosh!

You are missing the point. Install doesn't matter

[raymorris]

The trojaned ssh isn't the one installed from the repo, it's installed later by the bad guy, so it doesn't matter how you installed . Again, the trojaned ssh isn't the one you installed. The ONLY difference between source vs. binary packages in this case is that people who installed binaries could be alerted that the hash of the existing file doesn't match the correct binary. So binary installs are SAFER as far as this trojan.

How does the bad guy get the trojan on your system, if not from the repo, yo

Re:

[miknix]

How does the bad guy get the trojan on your system, if not from the repo, you ask? He gets access when someone else who is infected logs into your machine - your sysadmin, your hosting company, a vendor, etc.

Dude, this does not make any sense at all!
If person X logs into my machine (which is not infected) and that X is infected with the trojanized daemon. Then the attacker will not be able to find out the X's account password in my machine because the connection was made to my uninfected daemon and not to X's infected daemon. Get it?

Re:

[smash]

Also, even compiling from trusted source is no good if your compiler is compromised [bell-labs.com].

Re:

[Anonymous Coward]

Warner Bros. Records.

Re:

[Penguinshit]

It's a play on "Borked" (hint "Robert Bork" - Google it) and the native country of the artist Bjork.

Re:

[g0bshiTe]

I hope he's just having a piss. Otherwise someone needs to stop working with computers.

Re:

[Penguinshit]

you're a djerk.

If it weren't for the mention of Iceland

[93 Escort Wagon]

I'd think this was a story about Cisco gear from not that long ago.

Re:If it weren't for the mention of Iceland

[JWSmythe]

    I was asked to clean some exploited servers in the wild that had compromised SSH binaries in them. This was about 10 years or so ago, so this is really a not current news story.

    Thankfully most script kiddies are exactly that, and their script left the source on the machine for me to review. Why? I guess to compile on the machine to make sure it used the local libraries. They generally didn't have passwords hard coded though, they used SSH keys. The passwords they stole were usually stored locally in a file, and sent to somewhere in eastern Europe or Asia. I have no idea if that was by the script kiddie design or the person who rolled it up. It's a pretty slick trick though. You get the script kiddies to gather intel from compromised machines, and feed it back to you. Now you have access to every machine the script kiddies compromised.

    The funny part about most of the cleanups was, the version of SSH they put on was newer than the remotely exploitable version they got in with.

 

Re:If it weren't for the mention of Iceland

[pipatron]

I was asked to clean some exploited servers in the wild that had compromised SSH binaries in them. This was about 10 years or so ago, so this is really a not current news story.

Someone got murdered about 10 years ago, so there's no point reporting about current murders.

Or what is your point exactly?

Re:

[johnsie]

grumpy much?

Breaking and decorating

[OwenT]

Apparently it's quite common for attackers to actually patch the security holes they used to get in, once they've installed their backdoors. Don't want someone else getting in the same way, after all...

Re:

[g0bshiTe]

Yes cause we all know how secure and well coded java apps are.

Re:

[JWSmythe]

Aw, I don't know why you were modded troll. That's funny. :)

And only ultra secure because it would work for a few days, and then hang, refusing all access. :)

Re:If it weren't for the mention of Iceland

[maxwell demon]

Thankfully most script kiddies are exactly that, and their script left the source on the machine for me to review. Why?

Maybe it was an Open Source client, and they had to give you the source code to comply? :-)

Re:

[JWSmythe]

I've seen that too. Mostly with fairly open hosting machines. Like, letting anyone sign up for free or low cost hosting. I saw a lot of them that were built for one platform (usually Redhat), where the libraries didn't quite line up with the running system.

At one place, I was collecting them. The script kiddie would put their SSH server on a high port. It worked great, except they couldn't get root with it, and they couldn't get to the daemon through the firewalls. It was rather entertaining.

I hat

Tip

[detritus.]

I cleaned up an a backdoored Debian system after discovering md5 sum mismatches on all the ssh binaries from the original packages some time ago.

debsums is a nice utility to check this for you, granted that the attackers didn't modify the signing keys and installed their own package.

Re:

[MightyMartian]

So how is a compromised ssh binary getting on Debian?

Re:

[UltraZelda64]

Simple: It snuck in the back door.

Re:Tip

[Nerdfest]

Poor passwords, other infected (non-repo) packages, exploits in services (like apache, etc) installed with too many permissions, etc.

Re:

[NotBorg]

Yeah, I hate most Linux exploit articles. They always seem to be about what happens after the machine was rooted. Binaries changed out, configurations changed, permissions set, yadi yadi yada... They never seem to be about how they got rooted in the first place.

Re:

[GameboyRMH]

Mostly weak passwords/lack of anti-brute-force, Apache vulnerabilities is probably the second most common. Nothing new.

That's why SSH - most compromised by the trojan

[raymorris]

That's why ssh is trojaned - it's how they got in. Once they get into one box some other way, the trojan gets them into every box a user connects to via ssh. So it spreads like a virus. At some point, an admin with access to a lot of machines, like a hosting company admin, uses ssh to rsync / scp to their main machine. Then the bad guys get access to every machine hosted there.

Re:

[flyingfsck]

All the machines I cleaned up got hacked due to some wise guys who thought that using 4 letter passwords were kewl.

Re:

[gweihir]

Yeah, I hate most Linux exploit articles. They always seem to be about what happens after the machine was rooted. Binaries changed out, configurations changed, permissions set, yadi yadi yada... They never seem to be about how they got rooted in the first place.

Unlike the MS world where typically some software maker (and often MS itself) has screwed up, Linux tends to be rooted because some administrator or user got careless. That is not very interesting and the details do not matter.

Re:Tip

[19thNervousBreakdown]

You can never clean up a system. MD5s help, but you know what one of the first things I'd do when rooting a system is? After making sure my rootkit didn't show up in directory listings, I'd patch md5, shasum, perl, and ruby to return the exact MD5 I wanted for every file I defined a magic string for.

You gonna catch me on some systems? Sure. You gonna catch me on an extremely common distro like Debian without installing out-of-tree software? Probably not.

Re:Tip

[DarwinSurvivor]

Rule #1 of investigating a compromised system is you don't use the tools on the compromised system.

Re:

[bill_mcgonigle]

Rule #1 of investigating a compromised system is you don't use the tools on the compromised system.

Security is a process. Running a scanner on a compromised system has no guarantee of finding out that the system is compromised. But 98% of the time it will work just fine - these systems are usually compromised by script kiddie tools that don't spend a great deal of effort to find the rootkit scanners.

I suppose it would be better if somebody came up with a well-developed package for cross-scanning systems o

Re:

[jcdr]

I suppose it would be better if somebody came up with a well-developed package for cross-scanning systems over shared storage (does it already exist?) but that's also only going to reduce your 98% to 98.5%. I suppose all you need to really do is to validate the integrity of the host system's scanner (or rpm or dpkg, etc.) but then again the remote system access method could also be compromised (today it's TLA stuff to compromise e.g. nfsd such that it will only return the wrong (but valid) md5sum and sha1sum and [randomhashsum] for only the scanners you might check for) but it's not likely.

Taking down every system on a frequent schedule for an offline scan would be a good idea but then again the BIOS could be compromised and you start to run into the collision of business needs and absolute security.

I use NFS root internet servers connected to a intranet NFS server. On the last I use rsync to do backup and detection of any files change. The only permanent memory on the internet servers machines are the BIOS, ok, but I have yet to see an exploit that hack the BIOS in a way to compromise a TFTP + NFS boot without any detectable trace from the NFS server point of view. If your concern really go into this level of paranoia, then you can simply hack the write protection signal of your BIOS memory chip (see

Re:

[smpoole7]

Bootable CD or DVD with tools on it. Worth its weight in gold.

use a PPC mac.

[cheekyboy]

No hacker can find the binaries to a PPC mac os 10.5

Duh, you can boot OSX from a DVD, if you are really that paranoid.

Re:

[smash]

You do network inspection and verify what the machine is doing over the wire matches what it SHOULD be doing over the wire.

Re:

[smash]

To clarify - you should be continually monitoring all your machines for unusual traffic. By unusual, i mean for example any traffic from a port that shouldn't be open. This is a good example of why it is safer to be fucking paranoid with your firewall rules on your edge, and do egress filtering as well as ingress - and be very specific with regards to what you open up and the source/destination as well as what ports you allow. If some daemon is running on a port that it shouldn't be running on, or connec

Re:

[smash]

If your machine isn't supposed to be doing http or https, then this is a warning sign. And yes, running firewalls internally is required in case one of your machines inside is compromised.

Re:

[DarwinSurvivor]

HTTP/HTTPS sessions will have a limited lifetime (the exception being some HORRIBLE streaming technologies you shouldn't be using anyways) and SSH should only have incoming connections from KNOWN sources with very few exceptions. If you can't block a "hacker" (read: script kiddy) using GoToMyPC, you need to find another profession.

Duh, run md5sum from external machine

[cheekyboy]

Man, you would run md5sum on the actual compromised box??

Why not do it from a ISO booted linux, and nfs share the whole box , so you can sum it from the outside.

What you really need is all binaryies libs running of a partition that is read only. Kind of like android.

Re:

[jcdr]

The nfs could be hacked to give the original binaries to your outside server.

Absolutely impossible because the hacked file will have his checksum changed from the NFS server point of view. As long as the NFS server is not compromised, this is very safe. I personally use NFS root internet servers since more than 12 years now and I can say that's a very efficient way to detect and recover from external attacks. In addition, it very reliable, comfortable to manage, and easy to backup.

Re:

[jcdr]

If you hacked the box, you can certainly also modify the NFS server running on that box.

The NFS server is NOT the same box as the internet server that use NFS root as a client. Here is a simple schema:

RAID array NFS server box Firewall Internet server boxes (NFS root client) Firewall Internet

To archive a permanent modification of one of the internet server box, a file must be modified on the NFS root mounted filesystem. This modification is very easy to detect from the NFS server point of view. I personally use a simple script that parse the rsync log while it backup the internet servers

Re:

[jcdr]

Arrg! Missed to see that the formatting removed chars on the graph. Below is a correct one:

RAID array ==== NFS server box ==== Firewall ==== Internet server boxes (NFS root client) ==== Firewall ==== Internet

Re:

[jcdr]

Yes, "out-of-tree" is the key.

I have experimented a very successful way to solve the problem: Internet connected servers using NFS root from an intranet NFS server. All the machines are using a standard distribution. The intranet NFS server handle the backup of all the internet servers using rsync. It's really easy and efficient as it's just moving data internally of the RAID array. It's easy to detect unexpected files change, to compare internet machines binaries with the intranet machine binaries, and to

Re:Tip

[Ford Prefect]

I will ALWAYS find your rootkit. This is because you're trapped in a VM, and I can always checksum the files from another uncompromised system (LiveCD / USB).

This is, of course, assuming that you yourself are not running on another compromised virtual machine.

(There was one hack I was involved in where an investigator tried to get clever and started calculating MD5 checksums with a universal Turing machine operated using pencil and paper. Fortunately, I'd already trojaned base logic itself and managed to subvert alphanumeric characters to return the 'correct' values. Hacking the logical representations of arabic numerals? Now that's pretty advanced stuff. But then, there's always the worry that my own consciousness is running on something other than what I think is my own brain...)

Re:

[cheekyboy]

I can always have a real hardware PPC or MIPS based linux or even old Solaris machines used as 'screeners, scanners' to verify the VMs.

Oh and I could use 2 identical machines that do a complete scan and compare results.

Re:Tip

[davester666]

If there is one thing I truly dislike, it's getting backdoored.

Effective

[Anonymous Coward]

I myself have set up modified versions of the sshd dameon/ssh client on various rooted machines in the past (mine was simply allowing root login without logging anything with a hardcoded password + writing logins/hosts/passwords, after encryption, deep inside a fake shared library on the system - this took less than an hour to implement in the openssh source).

In all cases, despite the extreme simplicity of this mechanism, it was very, very easy to then gain access to a lot of other boxes on the network, and eventually to all the network itself. Just wait for the clueless sysadmin to log in (dumping his pass), then wait for him to use ssh to log in to another box in the network (dumping his pass as well). Then install the modified version of the daemon/client on to this new box. Rince, repeat.

It is in a way terrifying to see how most sysadmins are clueless. So, IMHO, a few measures that should be compulsory on any network:

- Do not allow write access to any essential binaries (like sshd, ls, and so on). If you have to, make sure you have a stealthy daemon checking the hashes of all critical binaries at regular intervals to make sure they have not been tampered with.
- Never, ever, log in to a server in your network from another server in the same network. Use port redirection, then log in from your initial box.
- Always use a dedicated server for system logs (syslog handles that very easily - sending logs over the network). That way, the logs of the initial system compromise will not be deletable. Do not ever log in remotely to this dedicated machine.
- After the initial system install, make a dump of the syscalls table of your kernel. Check it regularly to make sure it has not been tampered with (kernelspace rootkits usually hijack this table).
- ...there are also other ways to implement an effective kernelspace rootkit, like VFS hijacking, so make sure you disable modules loading in the kernel before compiling (and check the hash of the kernel image itself regularly as well).

Those are the main sane measures that come to mind (this is all based on real life experience intruding into large companies/laboratories/university systems, without ever having been detected). Posting anonymously for obvious reasons.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:

[DarwinSurvivor]

Also, don't use passwords for ssh.

Bad advice because ...

[dbIII]

Personally I think a password is a very good idea if combined with a key. If a laptop gets stolen the thief can log in directly with the stolen key saved on the laptop. If they have to work out a password as well they only get what is on the laptop.

Re:Bad advice because ...

[Opportunist]

Security is usually one of three things: Something you know (password), something you have (key, token) or something you are (biometry). Alone, none of them is really a big security obstacle, at the very least you should combine two of them. If you're paranoid, require all three.

Using two of the same class is patently useless, as practice has shown. If one password can be sniffed, so can two and more. And people tend to store their keys and dongles and other work related gadgets in similar places (if you get their keys, you usually also get their ID dongles), so if one is gone, usually they are all gone. And I guess I needn't explain why fingerprinting and retina scans aren't really a sensible combo either (aside from the cost).

And preferably request them through two separate and independent channels. It's amazing how rarely this rather essential minimum of security is enforced.

Re:

[segedunum]

That's what SSH key phrases are for.

Re:

[dbIII]

To a non-sysadmin what they see during the ssh login process is a request for a password even when it is really the key phrase for the key. They'll take that "don't use a password" advice above as logging in with keys that have no passphrase.
What I wrote above should be obvious but I seem to have attracted five people that have decided I'm a pedant so want to get pedantic about me using "password" to make the my post easier to read.

Re:

[smash]

Passphrases on SSH keys are not the same as SSH passwords. They don't go over the wire.

Re:

[Antique Geekmeister]

There is no way to enforce this, except to scan people's home directories for unsecured keys. It's also awkward if they are using "ssh-agent" or other passprase unlocking tools on a shared host, such as a server where I have administrative access or when someone has set up software to use passphrase-free keys as part of a regularly scheduled task, such as a backup system for databases. I've used these approaches to borrow other user's SSH keys when needed, not always with their advance knowledge. (I always

Re:

[dbIII]

There is no way to enforce this, except to scan people's home directories for unsecured keys

And it doesn't help when we get so many people writing "don't use passwords" - so they take that advice to mean not securing their keys :(

Re:

[DarwinSurvivor]

As others have suggested, I will confirm. Do not use username/password as the authentication method for your ssh server. If you want 2-factor encrypt the private keys or go hardcore with PAM and have them enter one-time codes from a pad or separate comm channel (sms, etc) after the key is verified.

Re:

[dbIII]

Just put a password/passphrase on the key as designed and it all works as intended for general use.
Single factor authentication with a stealable key can be even worse than single factor authentication with a password in some cases.

Re:

[DarwinSurvivor]

Um, that's exactly what I just said...

Re:

[dbIII]

You're talking about different things

No - the above poster wrote "don't use passwords". Taken at face value that sounds like recommending not to encrypt your private key with a password - because that would mean "using a password" - thus bad advice.

The parent is talking about logging in with password authentication, rather than public key authentication.

No - that is called reading between the lines, adding something that is not there and making an assumption that somebody that doesn't know better will not

Re:

[segedunum]

No - the above poster wrote "don't use passwords". Taken at face value that sounds like recommending not to encrypt your private key with a password - because that would mean "using a password" - thus bad advice.

No, it doesn't. Everyone with half a brain regarding SSH should know what 'not using passwords' with SSH means - and it doesn't mean *not* using a pass 'phrase' for your SSH key. He never said that. I'm afraid your splitting hairs here to have something to say.

No - that is called reading between the lines, adding something that is not there and making an assumption that somebody that doesn't know better will not make - thus it doesn't change that the post above is bad advice.

No. You have totally misunderstood the post, and please don't tie yourself in knots like that. It was very clear what he wrote and you were the one who added in 'I think a password is a very good idea if combined with a key'. It's also not called a 'p

Still bad advice because ...

[dbIII]

and it doesn't mean *not* using a pass 'phrase' for your SSH key. He never said that. I'm afraid your splitting hairs here to have something to say.

I'm not splitting hairs because ssh login with a key and no pass phrase is a frequent shortcut.

It is not his fault that you or others don't know what he's talking about.

You don't know what he's talking about either - you are just adding things you think should be there but are not.. I'm making a comment on something that should be there if it's going to be good

Re:

[dbIII]

Please read his second post. He's describing single factor authentication using a key alone instead of single factor authentication using a password alone. That's why I called it bad advice and gave an example to demonstrate why the first can be just as bad an idea as the second.

Re:

[dbIII]

The private keys can be considered part of ssh, so at face value it does come out as "don't use passwords for your private keys" - thus very bad advice. I don't know why you are trying to complicate this.

Is this for real or just buzzword pizza?

[dbIII]

Do not allow write access to any essential binaries

This makes no sense. Once somebody has root and can write to those binaries you are already fucked and they can change access to anything they like, and then write over it to their hearts content.
Putting them on read only media sounds like a cool idea but is difficult to implement for anything other than the short term and can be circumvented if somebody roots your box anyway. There's the script kiddie toy of changing file attributes (and thus announcing

Re:

[segedunum]

This makes no sense. Once somebody has root and can write to those binaries you are already fucked and they can change access to anything they like, and then write over it to their hearts content.

Quite right. Binaries are already write protected from users but if you're root you can do anything.

Re:

[Junta]

It might be reasonable to map most system binaries to an nfs share where root is mapped to nobody...

Re:

[dbIII]

Now that's something more sensible than read-only media that's only going to have a short lifetime before you have to change things on it. Of course locking root out from changing the mount point is going to be a challenge in both cases.

Re:

[jcdr]

Simply use NFS root for the internet server. It's reliable, easy to backup, and fun to manage.

Re:

[dbIII]

So? You have root, write a script to change those flags, have it run on startup in single user mode, and reboot in the middle of the night to single user mode so nobody notices. Of course your script could then change the box back to the right runlevel when it's finished and let you back in.
Once somebody has root (or full physical access and a screwdriver) they own the box, and about all you can do is make sure they can't easily get into other ones.

Re:

[smash]

So? You have root, write a script to change those flags,

Except you can't. The securelevel [wikipedia.org] feature in FreeBSD (maybe others) disables the ability to write to files with the immutable bit set. The only way to write to these files is to reboot the box into single user mode, before the kernel securelevel is raised. Single user mode = no network running.

Setting securelevel is a one way thing, once it has been raised, you can not lower the securelevel.

Re:

[smash]

Maybe you should get the concept of immutable flags on configuration files.

Re:

[TheGratefulNet]

old school: send remote syslog to a printer. real paper printer.

can't rm -rf paper; at least not remotely.

Define "wild"

[dalmor]

The article says "...discovered on compromised servers."

If they are not distro(i.e. ubuntu, redhat,centos, etc.) servers, or openssh servers, this is a non-story. I can create a random domain, compile a version of openssh to sends passwords to me and host it on my server as an official ssh binary.

If I install stock wordpress with access to the file, would that then count a compromised?

Gather passwords with ssh? Hah!

[Omnifarious]

I never use passwords with ssh. If ssh asks me for a password, I know something is wrong. I made this policy decision because of the endless attempts to log into my machine from all over the world. It was either something like a yubikey, or only using public key authentication. I went for the public key authentication.

Re:

[maxwell demon]

So you don't password-protect your private key?

Re:

[segedunum]

That would be using a pass phrase, not a password. ;-)

Re:

[segedunum]

.....and since when does a server ask you for your SSH key phrase?

Re:

[segedunum]

Because what you wrote has nothing to do with not using passwords with SSH.

Re:

[causality]

I use denyhosts - fail2ban is good too, the basic idea is the same.

I use SSHGuard here. I'd rather block all IP traffic from them entirely.

Re:

[causality]

Denyhosts can be set to block all, not just ssh, if wanted. I decided not to because some might have ISP NAT and that would block many people from my webserver... Maybe unlikely though, and leaving them an option to find an exploit in apache or wordpress might not be that good idea...

Sorry it took a while to get back to you.

My point is I would rather have all traffic from an offending IP address be DROPped at the kernel by an iptables rule, than have the machine continue to receive packets only to have connections rejected by TCP Wrappers and the hosts.deny file.

Of course with TCP Wrappers you do have more fine-grained control. You can, as in your example, decide to block one service and not another. In my own use-case there is no scenario where I would want to deny SSH access t

Which Distro?

[Lawrence_Bird]

I may have missed it but was this a binary package for a specific distro (on their own servers) or a binary on an untrusted server not attached to any specific distro?

Re:Iceland? How hard could it be?

[WWJohnBrowningDo]

Just because the server is in Iceland doesn't mean the perpetrator is.

In all likelihood the server is just another compromised machine.

Re:Iceland? How hard could it be?

[JWSmythe]

Yup. There are actually several reasonably priced hosting services in Iceland. I was shopping for international homes for some of my data, until I thought about it and none of my data is worth spending money to hide. :) Iceland was pretty high on the list though.

Re:

[AK Marc]

Check with Men and Mice, they are the only Icelandic company I know of that works with "security" and "Linux" in their company description.

Re:

[Trepidity]

Maybe it wasn't a "who" but a "what" [www.iiim.is].

Re:

[Runaway1956]

I don't think so. I suspect an extraterrestrial ship parked in a geothermal vent somewhere. They're out of sight, they get free energy, and they're close enough to a server to hack into it with their advanced computers. They've given up on those abductions and anal probes, now they're just hacking into the network to discover whatever might be on our minds.

Or, maybe it's occurred to them that we don't keep our brains next to our rectum?

Re:

[Raenex]

That's funny, but for those that don't know: XOR is a well-known, poor man's encryption/obfuscation trick.

Re:

[EzInKy]

They have thousand of eyes looking at the source and working on ways to improve things. What are the Window's folks doing?

Re:

[smash]

You'd like to think so, but when things like this [debian.org] happen, you can see that having thousands of unqualified people looking at code and sometimes modifying it is not really any benefit to security at all.

Knowing someone who is infected is the condition

[raymorris]

The bad guys only had to compromise one machine, then the trojan spreads. Say for example my co-worker Jeff has him home machine infected. He uses ssh to connect from home to his office. The bad guys now haveaccess to infect his office machine. Jeff is a sysadmin at the office, so from his office desktop he logs into various servers. That spreads the infection to the servers. I then use scp (ssh file copy) to pull some files on to a server from my work desktop. Now my desktop is infected. Later, I s

Re:

[lindi]

It would be nice if ssh could enforce this and refuse to connect if you try to break the policy.