🧵 Backdooring #SSH daemons (sshd) via simple patches probably exists since the dawn of time. Typically, a patched and recompiled version of #OpenSSH allows a threat actor to:
1⃣ login with master password
2⃣ logging all credentials to file
3⃣ hiding logons from "last"
1/4
1⃣ login with master password
2⃣ logging all credentials to file
3⃣ hiding logons from "last"
1/4
‼️Especially, the logging of further credentials potentially enables threat actors to maintain access in the case the backdoored #SSH daemon is detected and removed or to move laterally in the network due to password reuse.
2/4
2/4
Some lines of source code say more than thousands lines of prose 📚. Therefore, I recommend to have a look at an example github.com/QAX-A-Team/ope…. The changes are minimal, the impact is potentially huge.
3/4
3/4
🔫 To hunt for backdorred #SSH daemons on #VirusTotal you can use the following #VirusTotal Intelligence Query:
➡️ name:"sshd" and tag:elf and p:1+
4/4
➡️ name:"sshd" and tag:elf and p:1+
4/4
• • •
Missing some Tweet in this thread? You can try to
force a refresh
