Re: [PLUG] If you've been lazy about that OpenSSH update...

Michael C. Toren on Fri, 19 Sep 2003 12:37:07 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] If you've been lazy about that OpenSSH update...

From: "Michael C. Toren" <mct@toren.net>

To: plug@phillylinux.org, slug@sccs.swarthmore.edu

Subject: Re: [PLUG] If you've been lazy about that OpenSSH update...

Date: Fri, 19 Sep 2003 12:36:01 -0400

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

> On Thu, Sep 18, 2003 at 09:18:10PM -0400, gabriel rosenkoetter wrote: > > http://www.anzwers.org/free/m0nkeyhack/0d/ > > Btw, please don't be so foolish as to run this *from* a machine you > care about. > > (It happens to ALSO be a local trojan. Dumps an account named sys3 > on the local system.) Based on what I've read on a private security list, it seems that the sshexp.tar.bz2 tarball contains no exploit at all, and is nothing more than a trojan. Reproduced with the author's permission from that post, but anonymously, at his request: | > http://www.anzwers.org/free/m0nkeyhack/0d/ points to | > http://www.angelfire.lycos.com/ill/m0nkey0/sshexp.tar.bz2 (currently) | | Yep, this is a trojan, nothing more. Exploiting the exploiters is | a very popular past-time in the underground, so XXXX's advice to | beware is very wise. :) | | This malware will produce some convincing output and pause a bit. | It will even make several connections to TCP 22 on the target | host. This is all bunkum. After seeming to exploit the remote | target, the malware performs the following steps on a Linux box, | presuming it is run as root: | | 1. Adds a UID 0 account, sys3, to /etc/passwd and /etc/shadow. | The malware will add the sys3 account each time it is run, | so multiple sys3 accounts ("aw nuts it didn't ssh hax0r | that remote host i'll try again") are possible. | | 2. Places the output of the following commands in /tmp/.tmp: | - ifconfig -a | - cat /etc/passwd /etc/shadow /root.ssh*/known_hosts | - find /home/ -name known_hosts -exec cat {} | | 3. Sends this file to m0nkeyhack@supermarkt.de, spoofing the | sender address as ownage@gmx.de. Watch those mail logs! | | 4. Removes /tmp/.tmp. | | There is only one MX for supermarkt.de, mail.gibts.net. This is | 194.77.135.138, AS5669 VIA NET.WORKS. If someone has a contact | there, perhaps they can get this account removed. I have not confirmed the above information myself. -mct _________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce General Discussion -- http://lists.netisland.net/mailman/listinfo/plug

Follow-Ups:

Re: [PLUG] If you've been lazy about that OpenSSH update...
From: gabriel rosenkoetter <gr@eclipsed.net>

References:

[PLUG] If you've been lazy about that OpenSSH update...
From: gabriel rosenkoetter <gr@eclipsed.net>

[PLUG] Re: If you've been lazy about that OpenSSH update...
From: gabriel rosenkoetter <gr@eclipsed.net>

Prev by Date: Re: [PLUG] cable modem and MAC

Next by Date: Re: [PLUG] If you've been lazy about that OpenSSH update...

Previous by thread: [PLUG] Re: If you've been lazy about that OpenSSH update...

Next by thread: Re: [PLUG] If you've been lazy about that OpenSSH update...

Index(es):

Date

Thread