View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0003939Kali LinuxKali Package Bugpublic2017-03-30 09:462017-03-30 10:18
Reporterdr4kk4r Assigned Torhertzog  
PriorityhighSeveritymajorReproducibilityalways
Status closedResolutionno change required 
Product Version2016.2 
Summary0003939: openssh package infected with backdoor - OpenSSH_7.4p1 Debian-9, OpenSSL 1.0.2k 26 Jan 2017
Description

In late 2013, Security Researchers identified thousands of Linux systems around the world infected with the OpenSSH backdoor trojan and credential stealer named Linux/Ebury, that allows unauthorized access of an affected computer to the remote attackers.

Antivirus Firm ESET's Reseacher team has been tracking and investigating the operation behind Linux/Ebury and today team uncovers the details [Report PDF] of a massive, sophisticated and organized malware campaign called 'Operation Windigo', infected more than 500,000 computers and 25,000 dedicated servers.

kali-linux old fix

0001096: openssh package infected with backdoor fix closed

Steps To Reproduce

Execute this little command in terminal:

My System

uname -a
Linux dr4kk4r 4.9.0-kali1-686-pae 0000001 SMP Debian 4.9.6-3kali2 (2017-01-30) i686 GNU/Linux

ssh -V
OpenSSH_7.4p1 Debian-9, OpenSSL 1.0.2k 26 Jan 2017

ssh -G
usage: ssh [-1246AaCfGgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
[-D [bind_address:]port] [-E log_file] [-e escape_char]
[-F configfile] [-I pkcs11] [-i identity_file]
[-J [user@]host[:port]] [-L address] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [-p port] [-Q query_option] [-R address]
[-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
[user@]hostname [command]

ssh -G 2>&1 | grep -e illegal -e unknown > /dev/null && echo "System clean" || echo "System infected"
System infected

ls -1altr /var/cache/apt/archives/openssh*
-rw-r--r-- 1 root root 44958 mar 16 18:11 /var/cache/apt/archives/openssh-sftp-server_1%3a7.4p1-9_i386.deb
-rw-r--r-- 1 root root 374040 mar 16 18:11 /var/cache/apt/archives/openssh-server_1%3a7.4p1-9_i386.deb
-rw-r--r-- 1 root root 842210 mar 16 18:11 /var/cache/apt/archives/openssh-client_1%3a7.4p1-9_i386.deb

cat /etc/apt/sources.list
deb http://http.kali.org/kali kali-rolling main contrib non-free

Activities

rhertzog

rhertzog

2017-03-30 10:18

administrator   ~0006542

This old check is no longer working... a real -G option has been added in version 6.9 of OpenSSH so the command line test is ineffective.

See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796599 for a longer explanation.

Kali is not infected by Ebury.

Issue History

Date Modified Username Field Change
2017-03-30 09:46 dr4kk4r New Issue
2017-03-30 10:18 rhertzog Assigned To => rhertzog
2017-03-30 10:18 rhertzog Status new => closed
2017-03-30 10:18 rhertzog Resolution open => no change required
2017-03-30 10:18 rhertzog Note Added: 0006542