Re: /usr/bin/ssh-copy-id & trojan or variant UNIX/Exploit-SSHIDEN
I copied the binary from a friend's woody box, and ran
f-prot against it, and didn't find anything. I've
included the md5 of hs binary as well.
$ f-prot ./ssh-copy-id
Virus scanning report - 15 January 2004 @ 12:08
F-PROT ANTIVIRUS
Program version: 4.2.1
Engine version: 3.13.4
VIRUS SIGNATURE FILES
SIGN.DEF created 9 January 2004
SIGN2.DEF created 9 January 2004
MACRO.DEF created 12 January 2004
Search: ./ssh-copy-id
Action: Report only
Files: Attempt to identify files
Switches: <none>
Results of virus scanning:
Files: 1
MBRs: 0
Boot sectors: 0
Objects scanned: 1
Time: 0:00
No viruses or suspicious files/boot sectors were
found.
$ md5sum ./ssh-copy-id
a36ef875ba1c83e0c6d7cbf276e7f0f0 ./ssh-copy-id
Regards,
Josh
--- Asim Saglam <yoda2@yoda2.xs4all.nl> wrote:
> Dear all,
>
> Can anybody explain the following?
>
> My virus scanner reported the following after the
> scan tonight:
>
> /usr/bin/ssh-copy-id
> Found trojan or variant
> UNIX/Exploit-SSHIDEN !!!
> Please send a copy of the file to
> Network Associates
> The file has been renamed.
>
> I used the following virus-scanner:
>
> Virus Scan for Linux v4.16.0
> Copyright (c) 1992-2003 Networks Associates
> Technology Inc. All rights
> reserved.
> (408) 988-3832 LICENSED COPY - Nov 13 2001
>
> Scan engine v4.2.40 for Linux.
> Virus data file v4314 created Jan 14 2004
> Scanning for 84549 viruses, trojans and variants.
>
> As mentioned by McAfee in
>
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100960
> I removed the ssh package and installed it again.
> However the file
> /usr/bin/ssh-copy-id gets installed again with the
> same contents and the
> same creation date.
>
> My sources.list looks like:
> deb ftp://download.xs4all.nl/pub/mirror/debian/
> stable main non-free contrib
> deb-src ftp://download.xs4all.nl/pub/mirror/debian/
> stable main non-free
> contrib
> deb http://non-us.debian.org/debian-non-US
> stable/non-US main contrib
> non-free
> deb-src http://non-us.debian.org/debian-non-US
> stable/non-US main
> contrib non-free
> deb http://security.debian.org/ stable/updates main
> contrib non-free
> deb file:/home/debs/ pakketten/
>
> Furthermore ls -al gives:
> -rwxr-xr-x 1 root root 1115 Sep 19
> 10:07 /usr/bin/ssh-copy-id
>
> Output of uname -a:
> Linux <snip> 2.4.23 #1 Sun Dec 28 12:46:20 CET 2003
> i686 unknown
>
>
> The content of ssh-copy-id gives:
> #!/bin/sh
>
> # Shell script to install your identity.pub on a
> remote machine
> # Takes the remote machine name as an argument.
> # Obviously, the remote machine must accept password
> authentication,
> # or one of the other keys in your ssh-agent, for
> this to work.
>
> ID_FILE="${HOME}/.ssh/identity.pub"
>
> if [ "-i" = "$1" ]; then
> shift
> # check if we have 2 parameters left, if so the
> first is the new ID file
> if [ -n "$2" ]; then
> if expr "$1" : ".*\.pub" ; then
> ID_FILE="$1"
> else
> ID_FILE="$1.pub"
> fi
> shift # and this should leave $1 as the
> target name
> fi
> else
> if [ x$SSH_AUTH_SOCK != x ] ; then
> GET_ID="$GET_ID ssh-add -L"
> fi
> fi
>
> if [ -z "`eval $GET_ID`" -a -r "${ID_FILE}" ] ; then
> GET_ID="cat ${ID_FILE}"
> fi
>
> if [ -z "`eval $GET_ID`" ]; then
> echo "$0: ERROR: No identities found"
> exit 1
> fi
>
> { eval "$GET_ID" ; } | ssh $1 "umask 077; test -d
> .ssh || mkdir .ssh ;
> cat >> .ssh/authorized_keys"
>
> cat <<EOF
> Now try logging into the machine, with "ssh '$1'",
> and check in:
>
> .ssh/authorized_keys
>
> to make sure we haven't added extra keys that you
> weren't expecting.
>
> EOF
>
>
>
>
> --
> To UNSUBSCRIBE, email to
> debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
Reply to: