/usr/bin/ssh-copy-id & trojan or variant UNIX/Exploit-SSHIDEN

[Asim Saglam]

Dear all,

Can anybody explain the following?

My virus scanner reported the following after the scan tonight:

/usr/bin/ssh-copy-id
          Found trojan or variant UNIX/Exploit-SSHIDEN !!!
           Please send a copy of the file to Network Associates
           The file has been renamed.
I used the following virus-scanner:

Virus Scan for Linux v4.16.0
Copyright (c) 1992-2003 Networks Associates Technology Inc. All rights 
reserved.
(408) 988-3832  LICENSED COPY - Nov 13 2001

Scan engine v4.2.40 for Linux.
Virus data file v4314 created Jan 14 2004
Scanning for 84549 viruses, trojans and variants.
As mentioned by McAfee in 
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100960
I removed the ssh package and installed it again. However the file 
/usr/bin/ssh-copy-id gets installed again with the same contents and the 
same creation date.

My sources.list looks like:
deb ftp://download.xs4all.nl/pub/mirror/debian/ stable main non-free contrib
deb-src ftp://download.xs4all.nl/pub/mirror/debian/ stable main non-free 
contrib
deb http://non-us.debian.org/debian-non-US stable/non-US main contrib 
non-free
deb-src http://non-us.debian.org/debian-non-US stable/non-US main 
contrib non-free
deb http://security.debian.org/ stable/updates main contrib non-free
deb file:/home/debs/ pakketten/

Furthermore ls -al gives:
-rwxr-xr-x    1 root     root         1115 Sep 19 10:07 /usr/bin/ssh-copy-id
Output of uname -a:
Linux <snip> 2.4.23 #1 Sun Dec 28 12:46:20 CET 2003 i686 unknown
The content of ssh-copy-id gives:
#!/bin/sh
# Shell script to install your identity.pub on a remote machine
# Takes the remote machine name as an argument.
# Obviously, the remote machine must accept password authentication,
# or one of the other keys in your ssh-agent, for this to work.
ID_FILE="${HOME}/.ssh/identity.pub"

if [ "-i" = "$1" ]; then
 shift
 # check if we have 2 parameters left, if so the first is the new ID file
 if [ -n "$2" ]; then
   if expr "$1" : ".*\.pub" ; then
     ID_FILE="$1"
   else
     ID_FILE="$1.pub"
   fi
   shift         # and this should leave $1 as the target name
 fi
else
 if [ x$SSH_AUTH_SOCK != x ] ; then
   GET_ID="$GET_ID ssh-add -L"
 fi
fi
if [ -z "`eval $GET_ID`" -a -r "${ID_FILE}" ] ; then
 GET_ID="cat ${ID_FILE}"
fi
if [ -z "`eval $GET_ID`" ]; then
 echo "$0: ERROR: No identities found"
 exit 1
fi
{ eval "$GET_ID" ; } | ssh $1 "umask 077; test -d .ssh || mkdir .ssh ; 
cat >> .ssh/authorized_keys"

cat <<EOF
Now try logging into the machine, with "ssh '$1'", and check in:
 .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

EOF



--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]