Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojanized SSH Daemon In the Wild, Sending Passwords To Iceland

Posted by timothy on from the in-iceland-they-get-massages dept.

An anonymous reader writes "It is no secret that SSH binaries can be backdoored. It is nonetheless interesting to see analysis of real cases where a trojanized version of the daemon are found in the wild. In this case, the binary not only lets the attacker log onto the server if he has a hardcoded password, the attacker is also granted access if he/she has the right SSH key. The backdoor also logs all username and passwords to exfiltrate them to a server hosted in Iceland."

5 of 171 comments (clear)

  1. Tip by detritus. · · Score: 5, Informative

    I cleaned up an a backdoored Debian system after discovering md5 sum mismatches on all the ssh binaries from the original packages some time ago.

    debsums is a nice utility to check this for you, granted that the attackers didn't modify the signing keys and installed their own package.

    1. Re:Tip by Nerdfest · · Score: 3, Informative

      Poor passwords, other infected (non-repo) packages, exploits in services (like apache, etc) installed with too many permissions, etc.

  2. Re:Effective by Gaygirlie · · Score: 3, Informative

    - Do not allow write access to any essential binaries (like sshd, ls, and so on). If you have to, make sure you have a stealthy daemon checking the hashes of all critical binaries at regular intervals to make sure they have not been tampered with.

    I'm sure there are plenty of other such systems, but Tripwire ( http://www.tripwire.org/ ) is one of the more popular tools to keep a check on your system and warn you immediately if it detects tampering attempts.

    - After the initial system install, make a dump of the syscalls table of your kernel. Check it regularly to make sure it has not been tampered with (kernelspace rootkits usually hijack this table).

    AFAIK Tripwire handles this, too.

  3. Re:Bad advice because ... by Opportunist · · Score: 3, Informative

    Security is usually one of three things: Something you know (password), something you have (key, token) or something you are (biometry). Alone, none of them is really a big security obstacle, at the very least you should combine two of them. If you're paranoid, require all three.

    Using two of the same class is patently useless, as practice has shown. If one password can be sniffed, so can two and more. And people tend to store their keys and dongles and other work related gadgets in similar places (if you get their keys, you usually also get their ID dongles), so if one is gone, usually they are all gone. And I guess I needn't explain why fingerprinting and retina scans aren't really a sensible combo either (aside from the cost).

    And preferably request them through two separate and independent channels. It's amazing how rarely this rather essential minimum of security is enforced.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. Re:I use Gentoo by miknix · · Score: 4, Informative

    Unless you're auditing said sources, you're no better off than installing binaries.

    You know that Gentoo checks the SHA256 SHA512 and WHIRLPOOL digests of the downloaded sources before compiling right? You also know that the digests stored in Gentoo's repository are signed using a PGP key of the package maintainer, right?

    So can you please explain me again why I need to audit such sources? Sure sources can be compromised at upstream's servers and Gentoo maintainers can also make mistakes but this is not what TFA is about.