#34 rkhunter does not detect replaced ssh or sshd

Rkhunter (37)

Recently, on a server of mine a hacker replaced the ssh and sshd binaries.
Contrary to my expectations, this was not flagged by rkhunter during the 'file properties' check.
I believe this is because ssh and sshd are not included in the PROP_FILE_LIST list of files whose attributes are stored and verified by rkhunter.

I imagine that the replacement versions were modified to transmit submitted passwords to the hacker, and that this would be a common hacker tactic.
As such, I would request that both ssh and sshd be added to the PROP_FILE_LIST list.


  • John Horne

    John Horne - 2012-09-07
    • assigned_to: nobody --> jhorne
  • John Horne

    John Horne - 2012-09-07

    RKH does perform checks on both 'ssh' and 'sshd' as part of the rootkit checks. So I think my first request would be do you have copies of the ssh/sshd binaries so that we can see how we may improve the existing tests on them?

    It is, of course, possible for you to add ssh/sshd to the file properties list yourself in your own local config file. However,
    I agree that we should really monitor both those files by default, so I have added them to the CVS version.

  • Marco Vervoort

    Marco Vervoort - 2012-09-11

    Sadly, I neglected to preserve the hacked files.
    I normally make an effort to preserve them, but in this instance I was severely pressed for time due to other commitments, so I was reinstalling the files from RPM and restarting all compromised processes before I had time to properly consider the forensic aspects.
    The hacker had modified /etc/ssh/sshd_config to disable passwordless logins, which does point to a goal of password capture, but unfortunately without the hacked binaries I cannot contribute to the rootkit testing improvements (sorry).

  • John Horne

    John Horne - 2012-12-13
    • status: open --> closed-accepted

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks