The default backdoor password that I analysed from the trojanized OpenSSH source code (PRtestD) is different depending on the OS and the architecture. Also, I figured out that the file where all the 'sniffed' password are kept (default is /etc/X11/.pr) is different as well.
As mentioned in my previous post there are 7 different trojanized packages for several OS / architectures:
- armv6 (ARMv6): http://gopremium.mooo.com/.../auto/arm61.tgz
- armv71(ARMv7): http://gopremium.mooo.com/.../auto/arm71.tgz
- Vyos (x86): http://gopremium.mooo.com/.../auto/vyos.tgz
- Vyos64 (x64): http://gopremium.mooo.com/.../auto/vyos64.tgz
- edgeos (MIPS): http://gopremium.mooo.com/.../auto/edgeos.tgz
- edgeos64 (MIPS 64bits): http://gopremium.mooo.com/.../auto/edgeos64.tgz
- default (compile on demand): http://gopremium.mooo.com/.../auto/default.tgz
Using 'radare2' I disassembled the 'sym.auth_password' function (where the backdoor password is located) across the different SSHD binaries.
This is the code:
Following the assembly code, I can see the password is: PRtest0
The password is the same than for ARMv6: PRtest0
In this case the password is GZm7HF, but also the file is different '/etc/lps/lps'
In this case the password is GZm7HF also. The file is '/etc/lps/lps' as well
The password and the file is the same than with Vyos/64
Radare doesn't seem to work with this MIPS 64 file.
As a summary, the backdoor passwords are:
ARMv7 / ARMv6 = PRtest0
Vyos / Vyos64 = GZm7HF
Default = PRtestD
edgeos = PRtest0
edgeos64 = ??????
The files with the sniffed accounts are:
ARMv7 / ARMv6 = /etc/X11/.pr
Vyos / Vyos64 = '/etc/lps/lps'
Default = /etc/X11/.pr
edgeos = '/etc/lps/lps'
edgeos64 = ???