Michael C. Toren on Fri, 19 Sep 2003 12:37:07 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] If you've been lazy about that OpenSSH update...

> On Thu, Sep 18, 2003 at 09:18:10PM -0400, gabriel rosenkoetter wrote:
> > http://www.anzwers.org/free/m0nkeyhack/0d/
> Btw, please don't be so foolish as to run this *from* a machine you
> care about.
> (It happens to ALSO be a local trojan. Dumps an account named sys3
> on the local system.)

Based on what I've read on a private security list, it seems that the
sshexp.tar.bz2 tarball contains no exploit at all, and is nothing more
than a trojan.  Reproduced with the author's permission from that post,
but anonymously, at his request:

|   > http://www.anzwers.org/free/m0nkeyhack/0d/ points to
|   > http://www.angelfire.lycos.com/ill/m0nkey0/sshexp.tar.bz2 (currently)
|   Yep, this is a trojan, nothing more.  Exploiting the exploiters is
|   a very popular past-time in the underground, so XXXX's advice to
|   beware is very wise.  :)
|   This malware will produce some convincing output and pause a bit.
|   It will even make several connections to TCP 22 on the target
|   host.  This is all bunkum.  After seeming to exploit the remote
|   target, the malware performs the following steps on a Linux box,
|   presuming it is run as root:
|      1. Adds a UID 0 account, sys3, to /etc/passwd and /etc/shadow.
|         The malware will add the sys3 account each time it is run,
|         so multiple sys3 accounts ("aw nuts it didn't ssh hax0r
|         that remote host i'll try again") are possible.
|      2. Places the output of the following commands in /tmp/.tmp:
|         - ifconfig -a
|         - cat /etc/passwd /etc/shadow /root.ssh*/known_hosts
|         - find /home/ -name known_hosts -exec cat {}
|      3. Sends this file to m0nkeyhack@supermarkt.de, spoofing the
|         sender address as ownage@gmx.de.  Watch those mail logs!
|      4. Removes /tmp/.tmp.
|   There is only one MX for supermarkt.de, mail.gibts.net.  This is
|, AS5669 VIA NET.WORKS.  If someone has a contact
|   there, perhaps they can get this account removed.

I have not confirmed the above information myself.

Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug