OpenBSD running different

[Ricardo Souza]

A custumer bought an unofficial oBSD CDs.

After he installed it, it was running this /usr/lib/exo00  and sshd2 on
port 2300 with option -q.

Does someone knows something about this?

--
Ricardo Souza
NetWork Admin
Information Management
+55 11 3253-6303

[Couderc Damien]

On Sun, 8 Sep 2002 12:57:59
Ricardo Souza <ric...@infom.com.br> wrote:

> A custumer bought an unofficial oBSD CDs.

^^^^^^^^^^
> After he installed it, it was running this /usr/lib/exo00_ and sshd2

> on port 2300 with option -q.
>
> Does someone knows something about this?

Do you really expect a solution for an unofficial release ?

Damien

[Tyler Hardison]

Ricardo,

Customer buys an unofficial CD and you expect the obsd team to know what the
hell you bought?

Tyler

[Dave Uhring]

And I always thought that trojaned distributions were no more than a
bogeyman.

[STeve Andre']

As Damien wrote, you are not going to get much help here but this
sounds extremely worrysome to me. I think your customer should
turn that system off IMMEDIATELY and get a real copy of OpenBSD
and reinstall everything. Buy the real CD, or do an ftp install from
one of the official mirrored sites.

I have no 'sshd2' on my -current machine. I know that the -q flag in
sshd means "quiet mode", so I get the unreasy feeling that this is a
nice silent backdoor on the system, waiting to be plundered by the
creatures who made this "OpenBSD CD".

It might be worth finding out who created this CD and telling the list
on mi...@openbsd.org. This belongs there and not tech@.

Unless you are a real expert on the workings of OpenBSD, you are
unlikely to find possible subtle variations in this version of OpenBSD
with the real one. You really don't know what this version is doing,
but from what you say about 'sshd2', I do not think its good.

Beware.

--STeve Andre'

[francisco]

On Sun, 8 Sep 2002, Ricardo Souza wrote:

> A custumer bought an unofficial oBSD CDs.

therefore this is not the right place to ask questions about the
distribution on that cd. maybe if you've determined the cd is trojaned
or otherwise Bad it would be helpful to send mail to misc@ with as much
info as possible about the vendor so as to prevent future abuse.

> After he installed it, it was running this /usr/lib/exo00

assume exo00 is Something Bad until proven otherwise. is there any
documentation on the cd indicating it is supposed to be running on that
OS?

> and sshd2 on
> port 2300 with option -q.

that's a strange port and -q is quiet mode, no logging done. is it
documented on the cd that this should be the case? if not, assume it is a
backdoor into the system. maybe exo00 broadcasts the location of the
compromised system.

> Does someone knows something about this?

yes, the person who sold your customer the cd probably knows a great deal
about the cd, the computer it is running on, and possibly even the
network that the computer is on.

assume the computer is compromised unless the cd has been bought from a
trusted source. For Official OpenBSD, that source is
http://www.openbsd.org/orders.html
for unofficial OpenBSD well you really have to ask yourself if you trust
the vendor, and if there is no documentation on the features you mention
then dont trust that vendor and treat the computer as you would any other
compromised system.

> --
> Ricardo Souza
> NetWork Admin
> Information Management
> +55 11 3253-6303

good luck,

-f
http://www.blackant.net/

[Lawrence W. Smith]

> A custumer bought an unofficial oBSD CDs.
>

> After he installed it, it was running this /usr/lib/exo00 

> and sshd2 on port 2300 with option -q.
>

> Does someone knows something about this?

It sounds like the work of an automated exploit.

I've seen this on two systems that were installed as base 3.1
but not patched before being exposed to the 'net.

Either the same happened here or more serious still the
unofficial CD has the exploit already applied.

In either case wipe the system and reinstall from official sources.

L

[Martin Bundgaard]

Hi.

> After he installed it, it was running this /usr/lib/exo00 and sshd2 on
> port 2300 with option -q.

I just remembered seeing the word 'exo' in a log of an OpenBSD 3.0 honeypot
attack.
The log can be found here:

http://www.honeynet.ch/reports/openbsd.php

Maybe the same guys did this?

-mb

[Magnus Bodin]

On Mon, Sep 09, 2002 at 02:02:04PM -0300, Ricardo Souza wrote:
> Thanks guys....
> i reinstalled that box using Official cds..
>
> http://www.deadly.org/article.php3?sid=20020909122040

But can you confirm that the trojan actually came with the "unofficial cd:s"
or was the machine exposed on the internet unpatched?

What was the source of the "unofficial cd:s"?

/magnus

--
http://x42.com/

[Ricardo Souza]

[Magnus Bodin]

On Mon, Sep 09, 2002 at 02:14:11PM -0300, Ricardo Souza wrote:
> I dunno what was the source..
> it?s a friend?s box.
>
> What did u mean unpatched?
> Is there a patch to this?

I mean that the unofficial cd:s may not have contained the trojan.
The unofficial cd:s _may_ be as good as the official.

Since there is a security problem with the ssh server that ships with
even the official cd:s it can as well be a normal hack-attack.

Even if you install from the official cd:s, you should patch your ssh-server
and your webserver as well. See the errata file on
http://www.openbsd.org/errata.html

So: Do you know _for_sure_ that the unofficial cd:s contained the trojan?

Moral is of course to buy the official CD:s; as always:

"Buy quality, cry once."

/magnus

--
http://x42.com/

[Ricardo Souza]

I dunno what was the source..
it?s a friend?s box.

What did u mean unpatched?
Is there a patch to this?

[Maik Kuendig]

Hallo

Ricardo Souza <ric...@infom.com.br> schrieb:

> What did u mean unpatched?
> Is there a patch to this?

For patches see:
http://www.openbsd.org/errata.html

Maybe he means nr. 006

best regards

Maik