From owner-freebsd-security Wed Jan 19 4:43:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from supra.rotterdam.luna.net (supra.rotterdam.luna.net [194.151.24.24]) by hub.freebsd.org (Postfix) with ESMTP id 42E2E1513A for ; Wed, 19 Jan 2000 04:43:27 -0800 (PST) (envelope-from stephanb@luna.nl) Received: (from stephanb@localhost) by supra.rotterdam.luna.net (•8.8.8/tcpwrp+ismx/8.8.8/chk+tcpwrpr) id NAA05530 for freebsd-security@FreeBSD.ORG; Wed, 19 Jan 2000 13:43:25 +0100 (CET) Date: Wed, 19 Jan 2000 13:43:25 +0100 From: Stephan van Beerschoten To: freebsd-security@FreeBSD.ORG Subject: ssh-feature 'backdoor' Message-ID: <20000119134325.J2167@supra.rotterdam.luna.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.6i Organization: Luna Internet Services http://www.luna.nl Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have discovered the obvious .. I was helping a friend of me who admin's a couple of machines to find left-overs from hacks.. (The machine is used for these kind of playfull thingies) and we discovered something which other admins might not see because they don't think of it as a valid entry-point. sshd accepts connections with the rsa-key system (I love the system, I hop from one system to the next using this system and the ssh-agent running), but a hacker has created an ~root/.ssh/authorized_keys file with his own key in it. The comment on the key was root@ so for the 'default' admin the key would not look like something which should not be there .. but it was the hacker's way to simply ssh to the bos, enter his rsa passphrase (or let the ssh-agent take care of it) and he was in, having all the time to erase his presence from logs etc. Just a hint.. watch the ~root/.ssh dir. -Steve -- Stephan van Beerschoten Email: stephanb@luna.nl Network Engineer Luna Internet Services PGP fingerprint 4557 9761 B212 FB4C 778D 3529 C42A 2D27 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message