From owner-freebsd-security  Thu Aug  1  6:54:50 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 356B737B400
	for <freebsd-security@FreeBSD.ORG>; Thu,  1 Aug 2002 06:54:47 -0700 (PDT)
Received: from cithaeron.argolis.org (pool-138-88-142-95.esr.east.verizon.net [138.88.142.95])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0AB6743E88
	for <freebsd-security@FreeBSD.ORG>; Thu,  1 Aug 2002 06:54:46 -0700 (PDT)
	(envelope-from piechota@argolis.org)
Received: from cithaeron.argolis.org (localhost [127.0.0.1])
	by cithaeron.argolis.org (8.12.5/8.12.5) with ESMTP id g71DGsw4091112;
	Thu, 1 Aug 2002 09:16:54 -0400 (EDT)
	(envelope-from piechota@argolis.org)
Received: from localhost (piechota@localhost)
	by cithaeron.argolis.org (8.12.5/8.12.5/Submit) with ESMTP id g71DGr7U091109;
	Thu, 1 Aug 2002 09:16:54 -0400 (EDT)
X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs
Date: Thu, 1 Aug 2002 09:16:53 -0400 (EDT)
From: Matt Piechota <piechota@argolis.org>
To: Artur Lindgren <bond@comitnet.se>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Trojan located in latest openssh tar files
In-Reply-To: <a05111b06b96ed5c3da7c@[192.168.57.109]>
Message-ID: <20020801091503.H91087-100000@cithaeron.argolis.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Thu, 1 Aug 2002, Artur Lindgren wrote:

> It runs once, upon compilation of openssh, and is named sh or the
> compiling users default shell in the processlist in the process
> listing.
> This trojan attempts to connect to 203.62.158.32:6667 (hacked machine
> which has been secured now),
> and awaits one of three characters as the command;
> D execs /bin/sh
> M respawns
> A kills the deamon
> The /bin/sh executed via the D command was controlled by the daemon
> listening on 203.62.158.32:6667, potentially meaning that
> people affected by this has given a shell, possibly root, to user unknown.

Sounds like it'd only work for the current boot of the machine?  Or does
it hide somewhere and persist after reboot?

-- 
Matt Piechota


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message