7. Did any of the SSH servers identified in question 5 appear to have been modified to collect unique information? If so, was any information collected?

 

We can see how the trojan process 'xopen' is started at 15:32, together with the sniffer 'lsn':

root 25239 0.0 0.3 1880 336 ? S 15:32 0:00 /lib/.x/s/xopen -q -p
root 25241 0.0 0.7 1888 672 ? S 15:32 0:00 /lib/.x/s/xopen -q -p
root 25247 0.0 0.7 1668 732 ? S 15:32 0:00 /lib/.x/s/lsn

lsn saves in a file 'mfs' a trace of the connection that the box makes with other hosts:

 

============================================================
Time: Sun Aug 10 15:40:47 Size: 100
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 15:40:50 Size: 80
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 15:40:56 Size: 60
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 15:41:08 Size: 40
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 15:41:32 Size: 20
Path: 192.168.1.79 => 63.99.224.38 [21]
------------------------------------------------------------
============================================================
Time: Sun Aug 10 16:04:13 Size: 44
Path: proxyscan.undernet.org => 192.168.1.79 [23]
------------------------------------------------------------

 

...which in a way is our friend, in what it shows where the attacker himself did connect (ftp on 63.99.224.38) to download his rootkit. Moreover it shows that, when connecting to IRC, the irc server connected back to the machine to check for open proxies, which is quite a common practice among IRC servers. Unfortunately they are able to check for proxies, but not for bouncers (which perform the same function for the hacker, though!).

Moreover we see that the configuration file '/lib/.x/s/sshd_config' has some options that are not quite the default ones, such as 'PermitEmptyPasswords yes', and 'UseLogin no':

# This is ssh server systemwide configuration file.
Port 22
ListenAddress 0.0.0.0
HostKey /lib/.x/s/s_h_k
RandomSeed /lib/.x/s/r_s
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
QuietMode yes
X11Forwarding yes
X11DisplayOffset 10
FascistLogging no
PrintMotd yes
KeepAlive yes
SyslogFacility DAEMON
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords yes
UseLogin no

CheckMail yes
PidFile /lib/.x/s/pid
# AllowHosts *.our.com friend.other.com
# DenyHosts lowsecurity.theirs.com *.evil.org evil.org
# Umask 022
# SilentDeny yes

 Previous  To answer N.8 --> Which system executables (if any) were trojaned and what configuration files did they use?  Home