[lug] Hacked SSH Daemon

George Sexton gsexton at mhsoftware.com
Sat Sep 8 10:49:40 MDT 2007 

dio2002 at indra.com wrote:
>>> If you want to have some fun, it's usually pretty easy to follow the
>>> tracks of a hacker.  You can usually find the hacker's tracks and
>>> back-track them and see how he got in so you can protect yourself in the
>>> future and on other machines.  Check log files, .history, scan for files
>>> modified by date, dot-files are used frequently, ...  Nowadays, linux
>>> machines are pretty secure, but root compromises still happen from time
>>> to time.
>> I'm guessing since the other package that has major problems with RPM -V
>> is webmin that it was the entry point.
>>
>> It appears to me that they used WebMin to drop the trojaned SSH daemon
>> in place, and then erased WebMin to keep anyone else from doing it.
> 
> I'm curious about the trackback procedure you used to discern this. 
> Obviously the size tipped you off and maybe you stopped right there.  But
> if you used any other methods to trace the actions, including the logs
> mentioned above, i'd like to know what steps you took and any logs you
> found clues in (if you have the time).

The first tip that webmin was the backdoor was the rpm -Va showed 
virtually every webmin file had been modified. I'm think now they 
installed an updated version that doesn't have the vulnerability in it. 
It appears that the vulnerability was a directory traversal bug that 
allowed them to execute arbitrary commands.

I went through the webmin logs, and found where they uploaded a perl 
program that started a rudimentary remote shell. Once the remote shell 
was in place, they looked over the machine, checked the CPU, and then 
installed the trojaned ssh and sshd programs. I noticed they created a 
user account, checked the CPU, and then deleted the user account. 
Evidently a P3 800 w/ maybe 10GB of free disk wasn't enough of a prize.

It looks like they then pretty much left it alone. There's no root kit, 
or other back doors.

Unfortunately for them, the trojaned SSH wouldn't start, so it wasn't 
running until I started to take a look at it.

 From looking at it, the .bash_history for root was intact, along with 
the webmin logs. This really surprised me. I remember from reading the 
Cuckoo's Nest how meticulous the guy was about covering his track. Also, 
  copies of the perl remote shell, and trojaned binaries were left 
laying in root's user directory.

In short, it wasn't a very clean job and detection just wasn't a worry.




-- 
George Sexton
MH Software, Inc.
Voice: +1 303 438 9585
URL:   http://www.mhsoftware.com/

More information about the LUG mailing list