Apparent SSH-1.2.27 Rootkit

Dan Kaminsky dankamin at cisco.com
Tue Jul 3 00:19:32 EST 2001


> I found this lurking around the web, and thought people who are
> running SSH-1.2.27 might be interested.

This is a genuine rootkit, i.e. it adds a global password to a *modified*
build of SSHD, rather than creating a "magic SSH client" that can force its
way into any existing build of 1.2.27.

It's trivial to modify almost any authentication system to allow an
arbitrary client full access.  It's when the unmodified authentication
systems allow that client entry that we get concerned :-)

Just mentioning this publically in case someone pokes through the archives
and looks for a reply.

--Dan





More information about the openssh-unix-dev mailing list