Daniel Hood wrote:
> List,
>
> Im looking into SSH Trojans, just a general understanding of them so I
> can hopefully someday tell the difference between an SSH Trojan and
> the rear end of my heel and not have to make stupid "AM I HAX0RED?!?"
> forum posts. But after a couple of hours of googling though, I can't
> seem to turn up any traces of actual SSH Trojans. I've found SSH
> Trojan v.1.x but thats like 1999-ish. Are there any SSH Trojans still
> around? Say created after 2005-ish? If so, what are their names? I'm
> not sure if its because I typed the wrong thing into Google and thus
> pissed it off, but I just cant seem to find any actual examples, to
> have a play around with.
Well, I've seen quite a few in my day. Don't know the names, but have
seen a number of hackers replace the sshd binaries on hacked system with
ones that either:
1. Log sniffed credentials to a file
2. Exfiltrate via stealthy connection to remote host
3. Backdoor access - special account and or password built into sshd
binary giving instant root....
Checking timestamp on sshd and running strings on it could be useful.
>
> Also, my other question to ask is "How often are SSH-based Trojans,
> seen in the wild?". What I mean by that is: Does every server your
> ever performed forensics on contain an SSH Trojan or is it like 4 - 5
> maximum out of your career?
15-20 in the last 8 years.
>
> Thanks,
>
> Daniel
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
>
--
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204
The reason you are having computer problems is:
knot in cables caused data stream to become twisted and kinked
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
> List,
>
> Im looking into SSH Trojans, just a general understanding of them so I
> can hopefully someday tell the difference between an SSH Trojan and
> the rear end of my heel and not have to make stupid "AM I HAX0RED?!?"
> forum posts. But after a couple of hours of googling though, I can't
> seem to turn up any traces of actual SSH Trojans. I've found SSH
> Trojan v.1.x but thats like 1999-ish. Are there any SSH Trojans still
> around? Say created after 2005-ish? If so, what are their names? I'm
> not sure if its because I typed the wrong thing into Google and thus
> pissed it off, but I just cant seem to find any actual examples, to
> have a play around with.
Well, I've seen quite a few in my day. Don't know the names, but have
seen a number of hackers replace the sshd binaries on hacked system with
ones that either:
1. Log sniffed credentials to a file
2. Exfiltrate via stealthy connection to remote host
3. Backdoor access - special account and or password built into sshd
binary giving instant root....
Checking timestamp on sshd and running strings on it could be useful.
>
> Also, my other question to ask is "How often are SSH-based Trojans,
> seen in the wild?". What I mean by that is: Does every server your
> ever performed forensics on contain an SSH Trojan or is it like 4 - 5
> maximum out of your career?
15-20 in the last 8 years.
>
> Thanks,
>
> Daniel
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
> ------------------------------------------------------------------------
>
>
--
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204
The reason you are having computer problems is:
knot in cables caused data stream to become twisted and kinked
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442
f727d1
------------------------------------------------------------------------
[ reply ]