rkhunter trojaned sshd

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

rkhunter trojaned sshd

Wally
Greetings.  I have compiled openssh 6.5p1, openssl 1.0.1f and rkhunter 1.4.2.   

Rkhunter shows the following message:
[ Warning ]Found string 'aion' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH daemon

OpenSSH is compiled with OpenSSL support, and the string "aion" that is identified as a possible root kit by rkhunter is found inside "openssl-1.0.1f/crypto/aes/asm/vpaes-x86_64.pl" file.  It looks like a simple typo on line 1063.   Could the developers please take a look and possibly repackage the release? 

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: rkhunter trojaned sshd

Steven Kneizys
I see that in the source:

.asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"

And should be:

.asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"

I am just wondering why that rkhunter would possibly think that was a vulnerability!

Steve...


On Tue, Mar 11, 2014 at 3:12 PM, Wally <[hidden email]> wrote:
Greetings.  I have compiled openssh 6.5p1, openssl 1.0.1f and rkhunter 1.4.2.   

Rkhunter shows the following message:
[ Warning ]Found string 'aion' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH daemon

OpenSSH is compiled with OpenSSL support, and the string "aion" that is identified as a possible root kit by rkhunter is found inside "openssl-1.0.1f/crypto/aes/asm/vpaes-x86_64.pl" file.  It looks like a simple typo on line 1063.   Could the developers please take a look and possibly repackage the release? 

Thanks



--
Steve Kneizys
Senior Business Process Engineer
Voice: (610) 256-1396  [For Emergency Service (888)864-3282]
Ferrilli Information Group -- Quality Service and Solutions for Higher Education
web: http://www.ferrilli.com/

Making you a success while exceeding your expectations.
Reply | Threaded
Open this post in threaded view
|

Re: rkhunter trojaned sshd

Wally
Hi Steve, 

I believe there are few other files that contain "aion" but I think they're just  comments and don't end up as strings in the compiled file.  If you do a find | grep you'll see the other files.   I'm not sure how rkhunter fully works yet.  I ended up correcting the typo and recompiling.  Now rkhunter no longer throws the warning.  

Wally


On Tue, Mar 11, 2014 at 2:54 PM, Steven Kneizys <[hidden email]> wrote:
I see that in the source:

.asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"

And should be:

.asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"

I am just wondering why that rkhunter would possibly think that was a vulnerability!

Steve...


On Tue, Mar 11, 2014 at 3:12 PM, Wally <[hidden email]> wrote:
Greetings.  I have compiled openssh 6.5p1, openssl 1.0.1f and rkhunter 1.4.2.   

Rkhunter shows the following message:
[ Warning ]Found string 'aion' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH daemon

OpenSSH is compiled with OpenSSL support, and the string "aion" that is identified as a possible root kit by rkhunter is found inside "openssl-1.0.1f/crypto/aes/asm/vpaes-x86_64.pl" file.  It looks like a simple typo on line 1063.   Could the developers please take a look and possibly repackage the release? 

Thanks



--
Steve Kneizys
Senior Business Process Engineer
Voice: <a href="tel:%28610%29%20256-1396" value="+16102561396" target="_blank">(610) 256-1396  [For Emergency Service <a href="tel:%28888%29864-3282" value="+18888643282" target="_blank">(888)864-3282]
Ferrilli Information Group -- Quality Service and Solutions for Higher Education
web: http://www.ferrilli.com/

Making you a success while exceeding your expectations.

Reply | Threaded
Open this post in threaded view
|

Re: rkhunter trojaned sshd

Steven Kneizys
I am actually thinking this is an rkhunter bug!  :-)


On Tue, Mar 11, 2014 at 4:06 PM, Wally <[hidden email]> wrote:
Hi Steve, 

I believe there are few other files that contain "aion" but I think they're just  comments and don't end up as strings in the compiled file.  If you do a find | grep you'll see the other files.   I'm not sure how rkhunter fully works yet.  I ended up correcting the typo and recompiling.  Now rkhunter no longer throws the warning.  

Wally


On Tue, Mar 11, 2014 at 2:54 PM, Steven Kneizys <[hidden email]> wrote:
I see that in the source:

.asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"

And should be:

.asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"

I am just wondering why that rkhunter would possibly think that was a vulnerability!

Steve...


On Tue, Mar 11, 2014 at 3:12 PM, Wally <[hidden email]> wrote:
Greetings.  I have compiled openssh 6.5p1, openssl 1.0.1f and rkhunter 1.4.2.   

Rkhunter shows the following message:
[ Warning ]Found string 'aion' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH daemon

OpenSSH is compiled with OpenSSL support, and the string "aion" that is identified as a possible root kit by rkhunter is found inside "openssl-1.0.1f/crypto/aes/asm/vpaes-x86_64.pl" file.  It looks like a simple typo on line 1063.   Could the developers please take a look and possibly repackage the release? 

Thanks



--
Steve Kneizys
Senior Business Process Engineer
Voice: <a href="tel:%28610%29%20256-1396" value="+16102561396" target="_blank">(610) 256-1396  [For Emergency Service <a href="tel:%28888%29864-3282" value="+18888643282" target="_blank">(888)864-3282]
Ferrilli Information Group -- Quality Service and Solutions for Higher Education
web: http://www.ferrilli.com/

Making you a success while exceeding your expectations.




--
Steve Kneizys
Senior Business Process Engineer
Voice: (610) 256-1396  [For Emergency Service (888)864-3282]
Ferrilli Information Group -- Quality Service and Solutions for Higher Education
web: http://www.ferrilli.com/

Making you a success while exceeding your expectations.
Reply | Threaded
Open this post in threaded view
|

Re: rkhunter trojaned sshd

Wally
Quite possibly.  It is still a typo though ;-) I've notified the folks on the rkhunter mailing list as well.  Seeing a warning that your sshd daemon has been possibly trojaned can cause a heart beat skip ;-) Thanks for checking. 


On Tue, Mar 11, 2014 at 3:10 PM, Steven Kneizys <[hidden email]> wrote:
I am actually thinking this is an rkhunter bug!  :-)


On Tue, Mar 11, 2014 at 4:06 PM, Wally <[hidden email]> wrote:
Hi Steve, 

I believe there are few other files that contain "aion" but I think they're just  comments and don't end up as strings in the compiled file.  If you do a find | grep you'll see the other files.   I'm not sure how rkhunter fully works yet.  I ended up correcting the typo and recompiling.  Now rkhunter no longer throws the warning.  

Wally


On Tue, Mar 11, 2014 at 2:54 PM, Steven Kneizys <[hidden email]> wrote:
I see that in the source:

.asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"

And should be:

.asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford University)"

I am just wondering why that rkhunter would possibly think that was a vulnerability!

Steve...


On Tue, Mar 11, 2014 at 3:12 PM, Wally <[hidden email]> wrote:
Greetings.  I have compiled openssh 6.5p1, openssl 1.0.1f and rkhunter 1.4.2.   

Rkhunter shows the following message:
[ Warning ]Found string 'aion' in file '/usr/sbin/sshd'. Possible rootkit: Trojaned SSH daemon

OpenSSH is compiled with OpenSSL support, and the string "aion" that is identified as a possible root kit by rkhunter is found inside "openssl-1.0.1f/crypto/aes/asm/vpaes-x86_64.pl" file.  It looks like a simple typo on line 1063.   Could the developers please take a look and possibly repackage the release? 

Thanks



--
Steve Kneizys
Senior Business Process Engineer
Voice: <a href="tel:%28610%29%20256-1396" value="+16102561396" target="_blank">(610) 256-1396  [For Emergency Service <a href="tel:%28888%29864-3282" value="+18888643282" target="_blank">(888)864-3282]
Ferrilli Information Group -- Quality Service and Solutions for Higher Education
web: http://www.ferrilli.com/

Making you a success while exceeding your expectations.




--
Steve Kneizys
Senior Business Process Engineer
Voice: <a href="tel:%28610%29%20256-1396" value="+16102561396" target="_blank">(610) 256-1396  [For Emergency Service <a href="tel:%28888%29864-3282" value="+18888643282" target="_blank">(888)864-3282]
Ferrilli Information Group -- Quality Service and Solutions for Higher Education
web: http://www.ferrilli.com/

Making you a success while exceeding your expectations.

Reply | Threaded
Open this post in threaded view
|

Re: rkhunter trojaned sshd

Steven Kneizys
Here is a diff for it (although tabs may not make it across the email
so it is attached as well):

--- openssl-1.0.1f_ORIG/crypto/aes/asm/vpaes-x86_64.pl 2014-03-11
16:48:36.329545015 -0400
+++ openssl-1.0.1f/crypto/aes/asm/vpaes-x86_64.pl 2014-03-11
16:48:36.329545015 -0400
@@ -1060,7 +1060,7 @@
 .Lk_dsbo: # decryption sbox final output
  .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
  .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C
-.asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg
(Stanford University)"
+.asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg
(Stanford University)"
 .align 64
 .size _vpaes_consts,.-_vpaes_consts
 ___

On Tue, Mar 11, 2014 at 4:20 PM, Wally <[hidden email]> wrote:

> Quite possibly.  It is still a typo though ;-) I've notified the folks on
> the rkhunter mailing list as well.  Seeing a warning that your sshd daemon
> has been possibly trojaned can cause a heart beat skip ;-) Thanks for
> checking.
>
>
> On Tue, Mar 11, 2014 at 3:10 PM, Steven Kneizys <[hidden email]>
> wrote:
>>
>> I am actually thinking this is an rkhunter bug!  :-)
>>
>>
>> On Tue, Mar 11, 2014 at 4:06 PM, Wally <[hidden email]> wrote:
>>>
>>> Hi Steve,
>>>
>>> I believe there are few other files that contain "aion" but I think
>>> they're just  comments and don't end up as strings in the compiled file.  If
>>> you do a find | grep you'll see the other files.   I'm not sure how rkhunter
>>> fully works yet.  I ended up correcting the typo and recompiling.  Now
>>> rkhunter no longer throws the warning.
>>>
>>> Wally
>>>
>>>
>>> On Tue, Mar 11, 2014 at 2:54 PM, Steven Kneizys <[hidden email]>
>>> wrote:
>>>>
>>>> I see that in the source:
>>>>
>>>> .asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford
>>>> University)"
>>>>
>>>> And should be:
>>>>
>>>> .asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford
>>>> University)"
>>>>
>>>> I am just wondering why that rkhunter would possibly think that was a
>>>> vulnerability!
>>>>
>>>> Steve...
>>>>
>>>>
>>>> On Tue, Mar 11, 2014 at 3:12 PM, Wally <[hidden email]> wrote:
>>>>>
>>>>> Greetings.  I have compiled openssh 6.5p1, openssl 1.0.1f and rkhunter
>>>>> 1.4.2.
>>>>>
>>>>> Rkhunter shows the following message:
>>>>> [ Warning ]Found string 'aion' in file '/usr/sbin/sshd'. Possible
>>>>> rootkit: Trojaned SSH daemon
>>>>>
>>>>> OpenSSH is compiled with OpenSSL support, and the string "aion" that is
>>>>> identified as a possible root kit by rkhunter is found inside
>>>>> "openssl-1.0.1f/crypto/aes/asm/vpaes-x86_64.pl" file.  It looks like a
>>>>> simple typo on line 1063.   Could the developers please take a look and
>>>>> possibly repackage the release?
>>>>>
>>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Steve Kneizys
>>>> Senior Business Process Engineer
>>>> Voice: (610) 256-1396  [For Emergency Service (888)864-3282]
>>>> Ferrilli Information Group -- Quality Service and Solutions for Higher
>>>> Education
>>>> web: http://www.ferrilli.com/
>>>>
>>>> Making you a success while exceeding your expectations.
>>>
>>>
>>
>>
>>
>> --
>> Steve Kneizys
>> Senior Business Process Engineer
>> Voice: (610) 256-1396  [For Emergency Service (888)864-3282]
>> Ferrilli Information Group -- Quality Service and Solutions for Higher
>> Education
>> web: http://www.ferrilli.com/
>>
>> Making you a success while exceeding your expectations.
>
>


--
Steve Kneizys
Senior Business Process Engineer
Voice: (610) 256-1396  [For Emergency Service (888)864-3282]
Ferrilli Information Group -- Quality Service and Solutions for Higher Education
web: http://www.ferrilli.com/

Making you a success while exceeding your expectations.

patch_vpaes-x86_64.pl.txt (778 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: rkhunter trojaned sshd

Wally
Thanks Steve.  Much appreciated. 


On Tue, Mar 11, 2014 at 3:56 PM, Steven Kneizys <[hidden email]> wrote:
Here is a diff for it (although tabs may not make it across the email
so it is attached as well):

--- openssl-1.0.1f_ORIG/crypto/aes/asm/vpaes-x86_64.pl 2014-03-11
16:48:36.329545015 -0400
+++ openssl-1.0.1f/crypto/aes/asm/vpaes-x86_64.pl 2014-03-11
16:48:36.329545015 -0400
@@ -1060,7 +1060,7 @@
 .Lk_dsbo: # decryption sbox final output
  .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
  .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C
-.asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg
(Stanford University)"
+.asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg
(Stanford University)"
 .align 64
 .size _vpaes_consts,.-_vpaes_consts
 ___

On Tue, Mar 11, 2014 at 4:20 PM, Wally <[hidden email]> wrote:
> Quite possibly.  It is still a typo though ;-) I've notified the folks on
> the rkhunter mailing list as well.  Seeing a warning that your sshd daemon
> has been possibly trojaned can cause a heart beat skip ;-) Thanks for
> checking.
>
>
> On Tue, Mar 11, 2014 at 3:10 PM, Steven Kneizys <[hidden email]>
> wrote:
>>
>> I am actually thinking this is an rkhunter bug!  :-)
>>
>>
>> On Tue, Mar 11, 2014 at 4:06 PM, Wally <[hidden email]> wrote:
>>>
>>> Hi Steve,
>>>
>>> I believe there are few other files that contain "aion" but I think
>>> they're just  comments and don't end up as strings in the compiled file.  If
>>> you do a find | grep you'll see the other files.   I'm not sure how rkhunter
>>> fully works yet.  I ended up correcting the typo and recompiling.  Now
>>> rkhunter no longer throws the warning.
>>>
>>> Wally
>>>
>>>
>>> On Tue, Mar 11, 2014 at 2:54 PM, Steven Kneizys <[hidden email]>
>>> wrote:
>>>>
>>>> I see that in the source:
>>>>
>>>> .asciz "Vector Permutaion AES for x86_64/SSSE3, Mike Hamburg (Stanford
>>>> University)"
>>>>
>>>> And should be:
>>>>
>>>> .asciz "Vector Permutation AES for x86_64/SSSE3, Mike Hamburg (Stanford
>>>> University)"
>>>>
>>>> I am just wondering why that rkhunter would possibly think that was a
>>>> vulnerability!
>>>>
>>>> Steve...
>>>>
>>>>
>>>> On Tue, Mar 11, 2014 at 3:12 PM, Wally <[hidden email]> wrote:
>>>>>
>>>>> Greetings.  I have compiled openssh 6.5p1, openssl 1.0.1f and rkhunter
>>>>> 1.4.2.
>>>>>
>>>>> Rkhunter shows the following message:
>>>>> [ Warning ]Found string 'aion' in file '/usr/sbin/sshd'. Possible
>>>>> rootkit: Trojaned SSH daemon
>>>>>
>>>>> OpenSSH is compiled with OpenSSL support, and the string "aion" that is
>>>>> identified as a possible root kit by rkhunter is found inside
>>>>> "openssl-1.0.1f/crypto/aes/asm/vpaes-x86_64.pl" file.  It looks like a
>>>>> simple typo on line 1063.   Could the developers please take a look and
>>>>> possibly repackage the release?
>>>>>
>>>>> Thanks
>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Steve Kneizys
>>>> Senior Business Process Engineer
>>>> Voice: <a href="tel:%28610%29%20256-1396" value="+16102561396">(610) 256-1396  [For Emergency Service <a href="tel:%28888%29864-3282" value="+18888643282">(888)864-3282]
>>>> Ferrilli Information Group -- Quality Service and Solutions for Higher
>>>> Education
>>>> web: http://www.ferrilli.com/
>>>>
>>>> Making you a success while exceeding your expectations.
>>>
>>>
>>
>>
>>
>> --
>> Steve Kneizys
>> Senior Business Process Engineer
>> Voice: <a href="tel:%28610%29%20256-1396" value="+16102561396">(610) 256-1396  [For Emergency Service <a href="tel:%28888%29864-3282" value="+18888643282">(888)864-3282]
>> Ferrilli Information Group -- Quality Service and Solutions for Higher
>> Education
>> web: http://www.ferrilli.com/
>>
>> Making you a success while exceeding your expectations.
>
>



--
Steve Kneizys
Senior Business Process Engineer
Voice: <a href="tel:%28610%29%20256-1396" value="+16102561396">(610) 256-1396  [For Emergency Service <a href="tel:%28888%29864-3282" value="+18888643282">(888)864-3282]
Ferrilli Information Group -- Quality Service and Solutions for Higher Education
web: http://www.ferrilli.com/

Making you a success while exceeding your expectations.