7. Did any of the SSH servers identified in question 5 appear to have been modified to collect unique information? If so, was any information collected?
We can see how the trojan process 'xopen' is started at 15:32, together with the sniffer 'lsn':
root 25239 0.0 0.3 1880 336 ? S 15:32 0:00 /lib/.x/s/xopen
-q -p
root 25241 0.0 0.7 1888 672 ? S 15:32 0:00 /lib/.x/s/xopen
-q -p
root 25247 0.0 0.7 1668 732 ? S 15:32 0:00 /lib/.x/s/lsn
lsn saves in a file 'mfs' a trace of the connection that the box makes with other hosts:
============================================================
Time: Sun Aug 10 15:40:47 Size: 100
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 15:40:50 Size: 80
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 15:40:56 Size: 60
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 15:41:08 Size: 40
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 15:41:32 Size: 20
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 16:04:13 Size: 44
Path: proxyscan.undernet.org => 192.168.1.79 [23]
------------------------------------------------------------
...which in a way is our friend, in what it shows where
the attacker himself did connect (ftp on 63.99.224.38) to download
his rootkit. Moreover it shows that, when connecting to IRC, the
irc server connected back to the machine to check for open proxies,
which is quite a common practice among IRC servers. Unfortunately
they are able to check for proxies, but not for bouncers (which
perform the same function for the hacker, though!).
Moreover we see that the configuration file '/lib/.x/s/sshd_config' has some options that are not quite the default ones, such as 'PermitEmptyPasswords yes', and 'UseLogin no':
# This is ssh server systemwide configuration file.
Port 22
ListenAddress 0.0.0.0
HostKey /lib/.x/s/s_h_k
RandomSeed /lib/.x/s/r_s
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
QuietMode yes
X11Forwarding yes
X11DisplayOffset 10
FascistLogging no
PrintMotd yes
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords yes
UseLogin no
CheckMail yes
PidFile /lib/.x/s/pid
# AllowHosts *.our.com friend.other.com
# DenyHosts lowsecurity.theirs.com *.evil.org evil.org
# Umask 022
# SilentDeny yes
Previous | To answer N.8 --> Which system executables (if any) were trojaned and what configuration files did they use? | Home |