Re: [Rkhunter-users] Trojaned SSHD

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Tue, 2014-03-11 at 10:34 -0500, Wally wrote:
> Greetings.  I've recently installed openssh 6.5p1, openssl 1.0.1f and
> rkhunter 1.4.2.  
> 
> 
> Rkunter issues the following warning: 
> Warning: Checking for possible rootkit strings    [ Warning ]Found
> string 'aion' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH
> daemon
> 
> 
> 
> 
> $ strings sshd | grep aion
> 
> Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford
> University)
> 
> 
> The string "aion" is found in the openssl distribution. 
> 
> 
> 
> I was able to find two perl files in the openssl source directory that
> contain these strings:
> 
> 
> ./crypto/aes/asm/vpaes-x86_64.pl on line 1063 
> 
> 1063 .asciz  "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg
> (Stanford University)"
> 
> 
> 
> ./crypto/aes/asm/vpaes-x86.pl on line 156
> 
> 156 &asciz  ("Vector Permutation AES for x86/SSSE3, Mike Hamburg
> (Stanford University)");
> 
> 
> I'm contemplating editing the string out and recompiling, but perhaps
> there is a better way.  
> 
You can whitelist certain rootkit files. Look in the RKH configuration
file (something like RTKT_WHITELIST).

John.

-- 
John Horne                   Tel: +44 (0)1752 587287
Plymouth University, UK      Fax: +44 (0)1752 587001