Are you using Python module ‘SSH Decorator’? Newer versions include a backdoor

A backdoor was discovered in the Python module named SSH Decorator (ssh-decorate), that was developed by Israeli developer Uri Goren.

Are you using the Python module ‘SSH Decorator’? You need to check the version number, because newer versions include a backdoor.

The library was developed to handle SSH connections from Python code.

Early this week, a developer noticed that multiple backdoored versions of the SSH Decorate module, the malicious code included in the library allowed to collect users’ SSH credentials and sent the data to a remote server controlled by the attackers.

The remote server that received stolen data is accessible at the following address:

http://ssh-decorate.cf/index.php

The following images were shared bleepingcomputer.com that first reported the news.

The Israeli developer Uri Goren, once notified to the problem, confirmed that backdoor was added by attackers.

Initially, the developer has updated the password for the PyPI Python central repo hub and published a sanitized version of the package.

“I have updated my PyPI password, and reposted the package under a new name ssh-decorator,” he said.

“I have also updated the readme of the repository, to make sure my users are also aware of this incident.”

“It has been brought to our attention, that previous versions of this module had been hijacked and uploaded to PyPi unlawfully. Make sure you look at the code of this package (or any other package that asks for your credentials) prior to using it.” reads the README file.

The presence of the backdoor in the SSH Decorator module alerted many users on Reddit, many of them accused Goren that for this reason decided to take down the package from both GitHub and PyPI — the Python central repo hub.

Developers that use the SH Decorator (ssh-decorate) module need to use the last safe version was 0.27, later version 0.28 through 0.31 were compromised.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – SSH Decorator, Python SSH Backdoor)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.