{
	"id": "be38b4ad-9fc1-437f-a3d4-9ffbb041e30e",
	"created_at": "2026-04-10T03:21:40.889524Z",
	"updated_at": "2026-04-10T03:22:18.351594Z",
	"deleted_at": null,
	"sha1_hash": "cd2ac233c70c5542037d4929c6ab9f91f54b2324",
	"title": "Linux/SSHDoor.A Backdoored SSH daemon that steals passwords",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 207808,
	"plain_text": "Linux/SSHDoor.A Backdoored SSH daemon that steals passwords\r\nBy Sébastien Duquette\r\nArchived: 2026-04-10 02:25:34 UTC\r\n24 Jan 2013  •  , 3 min. read\r\nIn his summary of New Year predictions by security researchers here at ESET, Stephen Cobb pointed to expanded\r\nefforts by malware authors to target the Linux operating system. Looks like that might be right: A blog post\r\npublished by Sucuri yesterday describes a backdoored version of the SSH daemon discovered on compromised\r\nservers. Interestingly, this backdoor was used in conjunction with the malicious Apache module Linux/Chapro.A\r\nthat we blogged about recently.\r\nThe Secure Shell Protocol (SSH) is a very popular protocol used for secure data communication. It is widely used\r\nin the Unix world to manage remote servers, transfer files, etc. The modified SSH daemon described here,\r\nLinux/SSHDoor.A, is designed to steal usernames and passwords and allows remote access to the server via\r\neither an hardcoded password or SSH key.\r\nThe strings related to the hidden behaviors are XOR encoded. This is done to avoid easy identification by\r\nsearching the binary for suspicious strings. We identified a total of 16 encoded strings. The figure below shows the\r\npart of the code responsible for decoding the hidden data by xoring it with the constant 0x23.\r\nThe HTTP protocol is used to send stolen data to a remote server. The information is first encrypted using a 1024-\r\nbit RSA key stored in the binary and then Base64 encoded. The data is sent via an HTTP POST request to the\r\nserver used for data exfiltration.\r\nhttps://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/\r\nPage 1 of 4\n\nThe binary we analyzed contains two hostnames for servers used to collect data: openssh.info and\r\nlinuxrepository.org. Both names were probably chosen to avoid raising suspicions from the administrators of the\r\ncompromised servers. At this point in time, both hostnames point to a server hosted in Iceland with IP\r\n82.221.99.69.\r\nWhen the daemon is started, the backdoor sends the IP and port on which the service is running and the hostname\r\nof the server.\r\nWhenever a user successfully logs onto the compromised server, the username and password are also sent to the\r\nremote server.\r\nhttps://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/\r\nPage 2 of 4\n\nIn addition to stealing credentials, the backdoor guarantees persistence on the compromised host for the attacker in\r\ntwo different ways. First, it has a hard-coded password inserted in the code. If any user logs in using this\r\npassword, he is automatically granted access to the compromised server. The following figure shows the string\r\ncomparison between the password provided by a user trying to log in and the hardcoded password.\r\nSecond, the modified binary also carries an SSH key. If a user logs into the server with the private key\r\ncorresponding to the hard-coded public key, he is automatically granted access.\r\nThe backdoor can also retrieve configuration data from the file /var/run/.options. If this file exists the backdoor\r\nwill use the hostname, backdoor password and SSH key stored in it. The variables are stored one per line in\r\ncleartext.\r\nAs with Linux/Chapro.A, it is hard to tell how this Trojanized SSH daemon made its way on a compromised\r\nserver but outdated applications or weak passwords are probably to blame. Finding backdoored files can be\r\nproblematic for most system administrators. We recommend regular use of integrity checking tools plus\r\nmonitoring of outgoing network connections and regular scanning of all files by an antivirus product. This threat\r\nis detected by ESET as Linux/SSHDoor.A.\r\nSpecial thanks to Peter Kosinar, Pierre-Marc Bureau, and Olivier Bilodeau for their help.\r\nAnalyzed sample MD5 hash: 90dc9de5f93b8cc2d70a1be37acea23a\r\nhttps://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/\r\nPage 3 of 4\n\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nSource: https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/\r\nhttps://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/"
	],
	"report_names": [
		"linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords"
	],
	"threat_actors": [],
	"ts_created_at": 1775791300,
	"ts_updated_at": 1775791338,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/cd2ac233c70c5542037d4929c6ab9f91f54b2324.pdf",
		"text": "https://archive.orkl.eu/cd2ac233c70c5542037d4929c6ab9f91f54b2324.txt",
		"img": "https://archive.orkl.eu/cd2ac233c70c5542037d4929c6ab9f91f54b2324.jpg"
	}
}