It might be this one: http://www.immunitysec.com/GOBBLES/exploits/sshutup-theo.tar.gz 02_HOWTO document indicates that the exploit has a couple options to send shellcode while probing for where to overwrite the function pointer. Mike ----- Original Message ----- From: "Bill McCarty" <bmccartyat_private> To: "Ulrich Keil" <ulrich@der-keiler.de>; <incidentsat_private> Sent: Monday, July 01, 2002 6:25 PM Subject: Re: OpenSSH Attack? > Hi Ulrich, > > These lines resemble an attempt to add a line to the /etc/inetd.conf file > in order to establish a backdoor. Probably, an attacker's autorooter went > awry, thought it had compromised the victim host, and prematurely attempted > to upload a backdoor. Nevertheless, I suggest you check whether any of > your systems are listening on unusual ports, such as 2222. > > Cheers, > > --On Saturday, June 29, 2002 10:01 PM +0200 Ulrich Keil > <ulrich@der-keiler.de> wrote: > > > I run OpenSSH 3.3p1 on linux (sparc) and found these line in my > > /var/log/messages: > > > > Jun 28 22:27:27 www sshd[21761]: Bad protocol version identification > > 'echo "2222 stream tcp nowait root /bin/sh sh -i">> > > /tmp/h;/usr/sbin/inetd /tmp/hn/inecho "2222 strea' from 192.192.230.233 > > --------------------------------------------------- > Bill McCarty > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 02 2002 - 11:49:35 PDT