/usr/bin/ssh-copy-id & trojan or variant UNIX/Exploit-SSHIDEN

To: debian-security@lists.debian.org
Subject: /usr/bin/ssh-copy-id & trojan or variant UNIX/Exploit-SSHIDEN
From: Asim Saglam <yoda2@yoda2.xs4all.nl>
Date: Thu, 15 Jan 2004 20:46:48 +0100
Message-id: <[🔎] 4006EE28.50208@yoda2.xs4all.nl>

Dear all,

Can anybody explain the following?

My virus scanner reported the following after the scan tonight:

/usr/bin/ssh-copy-id
          Found trojan or variant UNIX/Exploit-SSHIDEN !!!
           Please send a copy of the file to Network Associates
           The file has been renamed.

I used the following virus-scanner:

Virus Scan for Linux v4.16.0

(408) 988-3832  LICENSED COPY - Nov 13 2001

Scan engine v4.2.40 for Linux.
Virus data file v4314 created Jan 14 2004
Scanning for 84549 viruses, trojans and variants.

As mentioned by McAfee inhttp://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100960I removed the ssh package and installed it again. However the file/usr/bin/ssh-copy-id gets installed again with the same contents and thesame creation date.


My sources.list looks like:
deb ftp://download.xs4all.nl/pub/mirror/debian/ stable main non-free contrib

deb-src ftp://download.xs4all.nl/pub/mirror/debian/ stable main non-freecontribdeb http://non-us.debian.org/debian-non-US stable/non-US main contribnon-freedeb-src http://non-us.debian.org/debian-non-US stable/non-US maincontrib non-free

deb http://security.debian.org/ stable/updates main contrib non-free
deb file:/home/debs/ pakketten/

Furthermore ls -al gives:
-rwxr-xr-x    1 root     root         1115 Sep 19 10:07 /usr/bin/ssh-copy-id

Output of uname -a:
Linux <snip> 2.4.23 #1 Sun Dec 28 12:46:20 CET 2003 i686 unknown


The content of ssh-copy-id gives:
#!/bin/sh

# Shell script to install your identity.pub on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.

ID_FILE="${HOME}/.ssh/identity.pub"

if [ "-i" = "$1" ]; then
 shift
 # check if we have 2 parameters left, if so the first is the new ID file
 if [ -n "$2" ]; then
   if expr "$1" : ".*\.pub" ; then
     ID_FILE="$1"
   else
     ID_FILE="$1.pub"
   fi
   shift         # and this should leave $1 as the target name
 fi
else
 if [ x$SSH_AUTH_SOCK != x ] ; then
   GET_ID="$GET_ID ssh-add -L"
 fi
fi

if [ -z "`eval $GET_ID`" -a -r "${ID_FILE}" ] ; then
 GET_ID="cat ${ID_FILE}"
fi

if [ -z "`eval $GET_ID`" ]; then
 echo "$0: ERROR: No identities found"
 exit 1
fi

{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ;cat >> .ssh/authorized_keys"


cat <<EOF
Now try logging into the machine, with "ssh '$1'", and check in:

 .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

EOF

Reply to:

Follow-Ups:
- Re: /usr/bin/ssh-copy-id & trojan or variant UNIX/Exploit-SSHIDEN
  - From: Josh Carroll <jkc120@sbcglobal.net>
- Re: /usr/bin/ssh-copy-id & trojan or variant UNIX/Exploit-SSHIDEN
  - From: Répási Tibor <repasi.tibor@chello.hu>
- Re: /usr/bin/ssh-copy-id & trojan or variant UNIX/Exploit-SSHIDEN
  - From: Jim Richardson <warlock@eskimo.com>

Prev by Date: Re: Update of security-critical outdated packages
Next by Date: Re: /usr/bin/ssh-copy-id & trojan or variant UNIX/Exploit-SSHIDEN
Previous by thread: Re: Update of security-critical outdated packages
Next by thread: Re: /usr/bin/ssh-copy-id & trojan or variant UNIX/Exploit-SSHIDEN
Index(es):
- Date
- Thread