Linux/SSHDoor.A Backdoored SSH daemon that steals passwords

ComputerSaysNo · Feb 5, 2013

The backdoor can also retrieve configuration data from the file /var/run/.options. If this file exists the backdoor will use the hostname, backdoor password and SSH key stored in it. The variables are stored one per line in cleartext.

As with Linux/Chapro.A, it is hard to tell how this Trojanized SSH daemon made its way on a compromised server but outdated applications or weak passwords are probably to blame. Finding backdoored files can be problematic for most system administrators. We recommend regular use of integrity checking tools plus monitoring of outgoing network connections and regular scanning of all files by an antivirus product. This threat is detected by ESET as Linux/SSHDoor.A.
Click to expand...

http://blog.eset.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords

Gullible Jones · Feb 7, 2013

Interesting, thanks.

Re what they say about integrity checkers. This clearly requires root access to install; wouldn't that make any IDS a good deal less reliable?

Edit: Oh yeah... Good on ESET for not recommending a real-time AV on a server. Geeze.

NGRhodes · Feb 7, 2013

I doubt the author is the one who did the investigation and decompiling for the article:

"it is hard to tell how this Trojanized SSH daemon made its way on a compromised server "

The page that is cited as source explains in detail.

Cheers, Nick

Log in or Sign up

Linux/SSHDoor.A Backdoored SSH daemon that steals passwords

ComputerSaysNo Guest

Gullible Jones Guest

NGRhodes Registered Member

Log in or Sign up

Linux/SSHDoor.A Backdoored SSH daemon that steals passwords

ComputerSaysNo Guest

Gullible Jones Guest

NGRhodes Registered Member

Useful Searches