Re: [Rkhunter-users] SSH backdoor non detected by RKH

Wed, 19 Jun 2013 01:53:50 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

unsp...@hushmail.com said the following on 18/06/2013 23:05:
> On Tue, 18 Jun 2013 17:57:16 +0200 "Luigi Rosa"

>> The ssh has a different configuration from the standard ssh on
> port 22
> 
> Different how? What's the location of the file(s)?

I cannot get the binary path of the backdoor.

I say that is different because of this:

$ telnet localhost 6108
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_3.8.1

telnet> q
Connection closed.
$ telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.3

telnet> q
Connection closed.

> Indeed binaries could have been replaced. What does RKH detect?

Nothing. Even after an update. That's my concern.

> Please also try 'lsof -Pwlni tcp:6108' or 'fuser -nuv tcp 6108'.

Both empty. I checked the SHA1 signatures of the binaries and are the same as
a fresh machine.

> Did you verify all packages with 'rpm -Vva 2>&1 | grep -v "^\.\{8\}";'?

It reveals only changes at the configuration diles, no changes in the binary

>> Other means of detect do not show the backdoor.
> What *other* means exactly?

unhide tools and grep script on /proc filesystem



Thank you anyway, I will nuke the server this afternoon.


Ciao,
luigi

- -- 
/
+--[Luigi Rosa]--
\

I tempi gloriosi dell'impero galattico, quando gli uomini erano veri uomini,
le donne erano vere donne e le piccole creature pelose di Alfa Centauri
erano vere piccole creature pelose di Alfa Centauri.
    --Douglas Adams, "Guida Galattica per Autostoppisti"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlHBcRsACgkQ3kWu7Tfl6ZTFcACeLUkqklaFQvdKdroyxBM8h3Zl
xdMAoJxevZjB9nvrRGlIcdcjZ6GBk90E
=ni4Z
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Rkhunter-users mailing list
Rkhunter-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/rkhunter-users

Reply via email to