Hey, recently Hetzner (www.hetzner.de) found at least one of their boxes was running an undetected sshd backdoor.
http://pastie.org/8015553 "The malicious code used in the "backdoor" exclusively infects the RAM. First analysis suggests that the malicious code directly infiltrates running Apache and sshd processes. Here, the infection neither modifies the binaries of the service which has been compromised, nor does it restart the service which has been affected." Looks like something very similar to that. Bye William ----- Original Message ----- From: "Luigi Rosa" <li...@luigirosa.com> Cc: rkhunter-users@lists.sourceforge.net Sent: Wednesday, June 19, 2013 9:51:44 AM Subject: Re: [Rkhunter-users] SSH backdoor non detected by RKH -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 unsp...@hushmail.com said the following on 18/06/2013 23:05: > On Tue, 18 Jun 2013 17:57:16 +0200 "Luigi Rosa" >> The ssh has a different configuration from the standard ssh on > port 22 > > Different how? What's the location of the file(s)? I cannot get the binary path of the backdoor. I say that is different because of this: $ telnet localhost 6108 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_3.8.1 telnet> q Connection closed. $ telnet localhost 22 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_5.3 telnet> q Connection closed. > Indeed binaries could have been replaced. What does RKH detect? Nothing. Even after an update. That's my concern. > Please also try 'lsof -Pwlni tcp:6108' or 'fuser -nuv tcp 6108'. Both empty. I checked the SHA1 signatures of the binaries and are the same as a fresh machine. > Did you verify all packages with 'rpm -Vva 2>&1 | grep -v "^\.\{8\}";'? It reveals only changes at the configuration diles, no changes in the binary >> Other means of detect do not show the backdoor. > What *other* means exactly? unhide tools and grep script on /proc filesystem Thank you anyway, I will nuke the server this afternoon. Ciao, luigi - -- / +--[Luigi Rosa]-- \ I tempi gloriosi dell'impero galattico, quando gli uomini erano veri uomini, le donne erano vere donne e le piccole creature pelose di Alfa Centauri erano vere piccole creature pelose di Alfa Centauri. --Douglas Adams, "Guida Galattica per Autostoppisti" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iEYEARECAAYFAlHBcRsACgkQ3kWu7Tfl6ZTFcACeLUkqklaFQvdKdroyxBM8h3Zl xdMAoJxevZjB9nvrRGlIcdcjZ6GBk90E =ni4Z -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Rkhunter-users mailing list Rkhunter-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/rkhunter-users
