LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-12-2002, 09:08 PM   #1
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Rep: Reputation: 56
Ssh Users Look At This!


I searched the forum and did not see anything about this,
it comes from a reliable source...





OpenSSH Security Advisory (adv.trojan)

1. Systems affected:

OpenSSH version 3.2.2p1, 3.4p1 and 3.4 have been trojaned on the
OpenBSD ftp server and potentially propagated via the normal mirroring
process to other ftp servers. The code was inserted some time between
the 30th and 31th of July. We replaced the trojaned files with their
originals at 7AM MDT, August 1st.

2. Impact:

Anyone who has installed OpenSSH from the OpenBSD ftp server or any
mirror within that time frame should consider his system compromised.
The trojan allows the attacker to gain control of the system as the
user compiling the binary. Arbitrary commands can be executed.

3. Solution:

Verify that you did not build a trojaned version of the sources. The
portable SSH tar balls contain PGP signatures that should be verified
before installation. You can also use the following MD5 checksums for
verification.

MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8
MD5 (openssh-3.4p1.tar.gz.sig) = d5a956263287e7fd261528bb1962f24c
MD5 (openssh-3.4.tgz) = 39659226ff5b0d16d0290b21f67c46f2
MD5 (openssh-3.2.2p1.tar.gz) = 9d3e1e31e8d6cdbfa3036cb183aa4a01
MD5 (openssh-3.2.2p1.tar.gz.sig) = be4f9ed8da1735efd770dc8fa2bb808a

4. Details

When building the OpenSSH binaries, the trojan resides in bf-test.c
and causes code to execute which connects to a specified IP address.
The destination port is normally used by the IRC protocol. A
connection attempt is made once an hour. If the connection is
successful, arbitrary commands may be executed.

Three commands are understood by the backdoor:

Command A: Kill the exploit.
Command D: Execute a command.
Command M: Go to sleep.

5. Notice:

Because of the urgency of this issue, the advisory may not be
complete. Updates will be posted to the OpenSSH web pages if
necessary.
 
Old 08-12-2002, 09:16 PM   #2
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Original Poster
Rep: Reputation: 56
I did find this on unspawns section of the front page. Guess it's old news
 
Old 08-13-2002, 01:58 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785
Np, I think it's great to see more ppl get involved posting warnings.
One remark tho, I know the [adv\..*] format is used by OpenSSH for advisories but I guess some ppl don't.
So IMO it would be best to always post the full URI.
 
Old 08-14-2002, 12:31 AM   #4
DavidPhillips
Guru
 
Registered: Jun 2001
Location: South Alabama
Distribution: Fedora / RedHat / SuSE
Posts: 7,154

Original Poster
Rep: Reputation: 56
One question


I checked both of my RedHat boxes on the internet running sshd.

They both run

sshd version OpenSSH_3.1p1


According to up2date they seem to think they are not a problem.


RedHat is usually up on the bugs pretty good so I think they are ok.

Anybody know different?


Last edited by DavidPhillips; 08-14-2002 at 12:34 AM.
 
Old 08-14-2002, 05:38 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785
Hmm. There was some noise a few weeks ago about ISS and OpenSSH not disclosing too much nfo on the privsep vulnerability, anyway I upgraded to 3.4p1, look here http://www.openssh.com/txt/preauth.adv for nfo and here for the version security list http://www.openssh.com/security.html.
 
Old 08-14-2002, 09:14 AM   #6
tyler_durden
Member
 
Registered: May 2001
Posts: 125

Rep: Reputation: 15
My understanding is that the redhat rpms are ok. (of course you can always go download the new source and install it). They found about the problem within 2 days (the iss vulnerability report says july 30 and 31). The openbsd server was compromised when someone "did something stupid".
 
Old 08-14-2002, 07:20 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785
Depends on how you define "ok". Pre-3.4 doesn't have privilege separation for instance. To be clear I took the src.rpm's from an OpenSSH mirror, not from update.redhat.com, there they don't go beyond 3.1.

IMNSHO it's best to verify stuff from ISS against another, reliable source. The OpenSSH advisory hints at troubles with ISS, and it's not the first time them security folks have fsck'ed up good with not testing thoroughly, cross platform and releasing advisories for their benefit, after all they *are* a commercial firm.
 
Old 08-14-2002, 10:52 PM   #8
tyler_durden
Member
 
Registered: May 2001
Posts: 125

Rep: Reputation: 15
There was talk about it at defcon. Some of the openbsd folks (i can't remeber who) was asked about it. She said that someone had done something stupid and thats why the code was compromised.
 
Old 08-18-2002, 01:07 PM   #9
supenguin
LQ Newbie
 
Registered: Jul 2002
Posts: 17

Rep: Reputation: 0
I don't know if this has anything to do with this trojan, but I've found a file on my machine /usr/local/share/Ssh.bin

file Ssh.bin
Ssh.bin: DBase 3 data file (507582464 records)

I have shut down my ssh and am going to run chkrootkit and see if I can find out anything. BTW: slackware 8.1 and I usually stick with the official Slackware packages when they available. When they are not, I build from source.
 
Old 08-20-2002, 03:51 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,118
Blog Entries: 54

Rep: Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785Reputation: 2785
Ssh.bin in OpenSSH >2.9: java bytecode for smartcard support
 
Old 08-21-2002, 05:25 PM   #11
ifm
Member
 
Registered: Jun 2002
Location: USA
Distribution: RH7.3 & YDL2.1
Posts: 124

Rep: Reputation: 15
I would presume that installing OpenSSH_3.4p1 on "JUNE" 30th is ok, right? This trojan wasn't in effect up UNTIL the 31st of July since it was first posted... ?

Last edited by ifm; 08-21-2002 at 05:27 PM.
 
Old 09-16-2002, 02:06 PM   #12
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
The easiest way to tell if your source is good is the check the MD5 checksums that are published on the OpenSSH site.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Remove SSH users? o3h Linux - Software 2 12-01-2005 08:25 PM
ssh users mrbabis Linux - Software 6 11-25-2005 10:55 AM
how can i add users to ssh omashhour Linux - Networking 6 12-17-2004 02:59 PM
SSH users kl0wn Linux - Software 2 11-18-2004 03:54 AM
ssh users and authorized_keys ifm Linux - Security 3 06-12-2002 08:24 PM


All times are GMT -5. The time now is 07:48 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration