Slashdot Mirror

← Back to Stories (view on slashdot.org)

Trojanized SSH Daemon In the Wild, Sending Passwords To Iceland

Posted by timothy on from the in-iceland-they-get-massages dept.

An anonymous reader writes "It is no secret that SSH binaries can be backdoored. It is nonetheless interesting to see analysis of real cases where a trojanized version of the daemon are found in the wild. In this case, the binary not only lets the attacker log onto the server if he has a hardcoded password, the attacker is also granted access if he/she has the right SSH key. The backdoor also logs all username and passwords to exfiltrate them to a server hosted in Iceland."

3 of 171 comments (clear)

  1. Re:Iceland? How hard could it be? by WWJohnBrowningDo · · Score: 5, Insightful

    Just because the server is in Iceland doesn't mean the perpetrator is.

    In all likelihood the server is just another compromised machine.

  2. Re:Tip by 19thNervousBreakdown · · Score: 4, Insightful

    You can never clean up a system. MD5s help, but you know what one of the first things I'd do when rooting a system is? After making sure my rootkit didn't show up in directory listings, I'd patch md5, shasum, perl, and ruby to return the exact MD5 I wanted for every file I defined a magic string for.

    You gonna catch me on some systems? Sure. You gonna catch me on an extremely common distro like Debian without installing out-of-tree software? Probably not.

    --
    <xml><I><am><so><damn>Web 2.0</damn></so></am></I></xml>
  3. Re:Tip by DarwinSurvivor · · Score: 4, Insightful

    Rule #1 of investigating a compromised system is you don't use the tools on the compromised system.