Re: [Rkhunter-users] Trojaned SSHD
Brought to you by:
dogsbody
From: John H. <joh...@pl...> - 2014-03-11 17:21:48
|
On Tue, 2014-03-11 at 10:34 -0500, Wally wrote: > Greetings. I've recently installed openssh 6.5p1, openssl 1.0.1f and > rkhunter 1.4.2. > > > Rkunter issues the following warning: > Warning: Checking for possible rootkit strings [ Warning ]Found > string 'aion' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH > daemon > > > > > $ strings sshd | grep aion > > Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford > University) > > > The string "aion" is found in the openssl distribution. > > > > I was able to find two perl files in the openssl source directory that > contain these strings: > > > ./crypto/aes/asm/vpaes-x86_64.pl on line 1063 > > 1063 .asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg > (Stanford University)" > > > > ./crypto/aes/asm/vpaes-x86.pl on line 156 > > 156 &asciz ("Vector Permutation AES for x86/SSSE3, Mike Hamburg > (Stanford University)"); > > > I'm contemplating editing the string out and recompiling, but perhaps > there is a better way. > You can whitelist certain rootkit files. Look in the RKH configuration file (something like RTKT_WHITELIST). John. -- John Horne Tel: +44 (0)1752 587287 Plymouth University, UK Fax: +44 (0)1752 587001 |