Saturday, January 26, 2013
Hackers placed SSH backdoor on hacked servers
In the latter case, a group of hackers replace all the binary files associated with the SSH backdoor on the compromised server-version, designed specifically to capture all input via SSH-session data and transfer them to the controlled server side. This was told at Sucuri, dedicated to the protection against web-based attacks.
"I have seen SSHD-backdoors in the past, though in a small scale and not on public servers. However, the new attack is different from anything he had seen before," - says Daniel Cid, CTO Sucuri. Hackers modify not only SSH-demon, but all the SSH-binaries (SSH, SSH-agent and SSHD) with the main goal - to steal credentials from the server.
With the help of this technique potential attackers can gain control over the compromised machine, even if the server administrator to change his password and all user passwords. In the cases examined by Sucuri, the administrator has deleted fraudulent module for Apache, changed all the passwords, but the attack is still repeated in a few days, says Sid.
According to him, the interception of the updated data was carried right through the SSH backdoor, which hackers left on the server since the first attack. This is a fairly trivial step that allows you once entering into the system, submit to her for a long time without the risk of detection. The first invasion of the server can be done in many different ways: Brute force, through the use of a third-party vulnerability, or simply stealing the present data in some way.
The wave of attacks with fake Apache-modules passed on the network from August to October of last year.
Many of these attacks were associated with a set of hacking software DarkLeech. Now the experts there is no evidence that the SSH backdoor was included in the new version DarkLeech.