OSX 10.6.6 SSH md5 break-in check
- by Alex
Information
Recently one of the linux servers that I access was compromised to steal passwords and ssh keys using a modified ssh binary. This lead me to question if the attacker had compromised my OSX Laptop which had ssh access turned on. A sophos virus scan turned up nothing, and I did not have rkhunter installed before the attack, so I could not compare hashes of the system binaries to be sure. However because OSX is relatively standard for each of their major releases, I asked fiends for md5 hashes md5 /usr/bin/ssh and md5 /usr/sbin/sshd as a basic first check to see if there was anything different about my machine. A few emails later I have found the following data:
Version (Arch) [N] MD5 (/usr/bin/ssh) MD5 (/usr/sbin/sshd)
OSX 10.5.8 (PPC) [3] 1e9fd483eef23464ec61c815f7984d61 9d32a36294565368728c18de466e69f1
OSX 10.5.8 (intel) [5] 1e9fd483eef23464ec61c815f7984d61 9d32a36294565368728c18de466e69f1
OSX 10.6.x (intel) [7] 591fbe723011c17b6ce41c537353b059 e781fad4fc86cf652f6df22106e0bf0e
OSX 10.6.x (intel) [4] 58be068ad5e575c303ec348a1c71d48b 33dafd419194b04a558c8404b484f650
Mine 10.6.6 (intel) df344cc00a294c91230c65e8b7332a79 b5094ccf4cd074aaf573d4f5df75906a
where N is the number of machines with with that MD5, and the last row is my laptop. The sample is relatively heterogeneous spaning a few years of different makes and models of Apples, and different versions of 10.6.x. The different hash for my system made me worried that these binaries might have been compromised. So I made sure that my backup for the week was good, and dived into formatting my system and reinstalling OSX.
After reinstalling OSX from the manufacturer DVD, I found that the MD5 hash did not change for either ssh, or sshd.
Goal
Make sure that my system is does not have any malicious software. Should I be worried that this base install of OSX (with no other software installed) has been compromised? I have also updated my system to 10.6.6 and found no change as well.
Other Information
I am not sure if this is helpful information, but my laptop is a i7 15 inch MacBook Pro bought in Nov 2010, and here is some output from system_profiler:
System Software Overview:
System Version: Mac OS X 10.6.6 (10J567)
Kernel Version: Darwin 10.6.0
64-bit Kernel and Extensions: No
Time since boot: 1:37
Hardware:
Hardware Overview:
Model Name: MacBook
Model Identifier: MacBook6,2
Processor Name: Intel Core i7
Processor Speed: 2.66 GHz
Number Of Processors: 1
Total Number Of Cores: 2
L2 Cache (per core): 256 KB
L3 Cache: 4 MB
Memory: 4 GB
Processor Interconnect Speed: 4.8 GT/s
Boot ROM Version: MBP61.0057.B0C
SMC Version (system): 1.58f16
Sudden Motion Sensor:
State: Enabled
On the laptop, I find:
$ codesign -vvv /usr/bin/ssh
/usr/bin/ssh: valid on disk
/usr/bin/ssh: satisfies its Designated Requirement
$ codesign -vvv /usr/sbin/sshd
/usr/sbin/sshd: valid on disk
/usr/sbin/sshd: satisfies its Designated Requirement
$ ls -la /usr/bin/ssh
-rwxr-xr-x 1 root wheel 1001520 Feb 11 2010 /usr/bin/ssh
$ ls -la /usr/sbin/sshd
-rwxr-xr-x 1 root wheel 1304800 Feb 11 2010 /usr/sbin/sshd
$ ls -la /sbin/md5
-r-xr-xr-x 1 root wheel 65232 May 18 2009 /sbin/md5
Update
So far I have not gotten an answer about this question, but if you could help by increasing the number of hashes that I can compare against, that would be great. To get hashes, and version numbers, run the following on osx:
md5 /usr/bin/ssh
md5 /usr/sbin/sshd
ssh -V
sw_vers