NEWS - January 25, 2013
by Carol~ - 1/25/13 8:53 AM
Web server hackers installing rogue Apache modules and SSH backdoors
"Original SSH binary files get replaced with credential-stealing versions, researchers warn"
A group of hackers that are infecting Web servers with rogue Apache modules are also backdooring their Secure Shell (SSH) services in order to steal login credentials from administrators and users.
The hackers are replacing all of the SSH binary files on the compromised servers with backdoored versions that are designed to send the hostname, username and password for incoming and outgoing SSH connections to attacker-controlled servers, security researchers from Web security firm Sucuri said Wednesday in a blog post.
"I saw some SSHD [SSH daemon] backdoors in the past in very small scale or part of public rootkits, but not like this one," Daniel Cid, Sucuri's chief technology officer, said Thursday via email. "They do not only modify the ssh daemon, but every ssh binary (ssh, ssh-agent, sshd) and their main goal is to steal passwords."
Continued : http://news.techworld.com/security/3422504/web-server-hackers-installing-rogue-apache-modules-ssh-backdoors/
Related: SSH Backdoor Linked to Linux Rootkits