SSH Rootkit 6 review
DownloadSSH Rootkit is a patch for latest version of SSH 1.2 to enable "rootkit" features like incoming/outgoing password logging, "global pa
|
|
SSH Rootkit is a patch for latest version of SSH 1.2 to enable "rootkit" features like incoming/outgoing password logging, "global password" to allow login into any account using a pre-defined password.
Adds options to SSH configure script to enable rootkit features. Script kiddie dream!
WARNING: If configure fails on your system for some reason, re-run autoheader / autoconf in the ssh dir after patching.
WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING!
PLEASE READ THE SECTION ABOUT SETTING FILE MODES FOR THE
USERNAME/PASSWORD LOG FILE!!! IF YOU DON'T, SSH ROOTKIT
WILL NOT WORK!!! IF I GET ANY EMAIL ABOUT "SIGNAL 11"
WHEN RUNNING SSH, I WILL IGNORE IT!
WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING! WARNING!
NOTICE: This version includes patches from these people: Zelea, spwn.
NOTICE: Setting file modes on the logfile PLEASE make sure that your selected log file (--enable-ssh-log=whatever) is set to mode 666 (read/write by all) it's extremely important to do this, because otherwise ssh will not be able to fopen() the log file, and will die with sig11. No, there is not an easy way to make it open the file while it's still root. So, to summarize this:
# chmod 666 /wherever/your/log/file/is/.logfile
If you don't do this, don't come crying to me after the admin finds you.
What's New in This Release:
now uses configure options to enable rootkit features
NEW logging facility, save incoming AND outgoing logins into a file, outgoing logins are saved with [successful] or [failed] message, great incase the user types some -other- password, then you can have access to TWO of his shells general code cleanup build against ssh-1.2.27
corrected a bug that prevented wtmp/utmp login when RSA authentication and .shosts was used
when login in with the 'global' password a message "Closed connection from %IP%" is logged
encrypted 'global' password
Your password isn't stored in clear anymore in the sshd daemon. Only the MD5 hash of your password is. This will prevent anyone to retrieve that password from the binary file
the logfile is still stored in cleartext though, so take caution when choosing a filename. Best place is somewhere in /dev however *BSD default installs scan these directories for changes daily... /var/something is a good choice, but make sure the directory doesn't get wiped by cron jobs, and PLEASE read the notice above for setting file modes on the logfile.
SSH Rootkit 6 keywords