[lug] Hacked SSH Daemon

George Sexton gsexton at mhsoftware.com
Fri Sep 7 16:17:22 MDT 2007 


steve at badcheese.com wrote:
> Boot knoppix, run 'chkrootkit'.  Check MD5's of your sshd binaries to a 
> known good one on a machine with the same OS (if you have access to 
> one). If a rootkit has been found or sshd has been found to been 
> replaced, the system is untrustworthy and should be wiped (except for 
> any non-executable files).

I know the MD5SUM of the SSHD binary is modified because RPM -Vf 
/usr/sbin/sshd shows a change.

> 
> If you want to have some fun, it's usually pretty easy to follow the 
> tracks of a hacker.  You can usually find the hacker's tracks and 
> back-track them and see how he got in so you can protect yourself in the 
> future and on other machines.  Check log files, .history, scan for files 
> modified by date, dot-files are used frequently, ...  Nowadays, linux 
> machines are pretty secure, but root compromises still happen from time 
> to time.

I'm guessing since the other package that has major problems with RPM -V 
is webmin that it was the entry point.

It appears to me that they used WebMin to drop the trojaned SSH daemon 
in place, and then erased WebMin to keep anyone else from doing it.

> 
> If you ssh'ed from that machine to any other machines, you need to check 
> those 'target' machines to make sure that they're not also compromised.

Fortunately, I only went from that machine in, not out from that 
machine. I think I'll still use the knoppix suggestion you made and 
double-check my machine anyhow.

> 
> - Steve
> 
> On Fri, 7 Sep 2007, George Sexton wrote:
> 
>> Date: Fri, 07 Sep 2007 11:25:03 -0600
>> From: George Sexton <gsexton at mhsoftware.com>
>> Reply-To: "Boulder (Colorado) Linux Users Group -- General Mailing List"
>>     <lug at lug.boulder.co.us>
>> To: "Boulder (Colorado) Linux Users Group -- General Mailing List"
>>     <lug at lug.boulder.co.us>
>> Subject: [lug] Hacked SSH Daemon
>>
>> I think a machine that I admin has been hacked.
>>
>> The first problem that I noticed was SSH wasn't running.
>>
>> Attempts to start sshd, generated an error invalid option "-o 
>> PidFile=/xxx"
>>
>> I verified from the man file that this should work.
>>
>> Next, I noticed that I got an RSA key message saying that the server's 
>> RSA key wasn't know, but the DSA key was known. The next thing I 
>> noticed was that Public Key authentication no longer worked. I also 
>> verified that I can remotely login as Root, even though I have set 
>> PermitRootLogin no in the /etc/ssh/sshd_config
>>
>> Finally, when I did a "rpm -Vf /usr/sbin/sshd", it popped as modified.
>>
>> Has anyone seen this before?
>>
>> Do I need to worry about the machine that I logged in and did my 
>> testing from? It's an up to date SuSE 10.2 system. Amazingly, on that 
>> system, I had a unique password.
>>
>> Once I figured out the system looked hacked, I switched to a Knoppix 
>> system.
>>
>> Any ideas on whether I may have compromised the machine I did my 
>> initial investigation will be REALLY appreciated.
>>
>>
> 

-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

More information about the LUG mailing list