25 Dec 09 SSHing from a compromised machine

Often, when working with compromised machines, as a security consultant, I find a malicious SSH binary. The malicious SSH binary generally logs all usernames, passwords and hosts connected to from the compromised machine, and usually in /tmp/. The attacker can then log back into the machine and collect this file at a later date.

The compromised SSH binary is usually over 10 times the size of the normal binary. This is because the attacker compiles it as statically linked in the first place, meaning that all libraries that it depends on are compiled in to the application. This means that as long as the system architecture is the same, e.g. x86, the binary will work regardless of distro or libc version. The attacker could compile the compromised SSH specifically for that libc/distro however this is usually not the case. Either way, the binary will always be of differing size, and will always have a different MD5 checksum compared to the legitimate binary.  You could also run the strings utility against the SSH binary, and attempt to find out more about its contents. Usually you’ll find custom error messages and the path to the password log shown up by ’strings’.

This is a popular attack, as users regularly ssh from machine to machine, and additionally, often ssh as root, without any idea as to the ssh binary that they are using. Not only should you only initiate outbound SSH connections from your own trusted machine, and never from machine to machine, but you should also disable root login, and use su or sudo to get root access when required on the remote machine.

Merry Xmas

Tags: attacker, binary, hacker, libc, malicious, md5, Security Consultant, ssh

Leave a Comment