Re: Possible remote vulnerability in SSH-1.2.27

From: Andrei Muresan (andreiat_private)
Date: Wed Oct 02 2002 - 22:34:45 PDT

Next message: Burak DAYIOGLU: "Re: slapper changed to udp 1812?"

Previous message: Brad Arlt: "Re: maybe a simple problem"
In reply to: stealth: "Possible remote vulnerability in SSH-1.2.27"
Next in thread: Alexandru Balan: "Re: Possible remote vulnerability in SSH-1.2.27"
Reply: Alexandru Balan: "Re: Possible remote vulnerability in SSH-1.2.27"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 2 Oct 2002 12:14:58 +0500 (AMST)
stealth <stealthat_private> wrote:

> A worm scans the network for special configuratiom (particulary ssh-1.x.x
> allowing remote root login), using buffer overflow, as I could determine
> gets remote root shell, copies some code, compiles it and runs.
> The code also include scanner, for the worm to continue it's job from the
> machine it vulnes.
> 
> It also ereases /var/log/messages, and stops syslogd and many other
> services (see attacment for details), disables $HISTORY, adds a user `tcp'
> to the system passwd file, ereases `top', `netstat', `ps', replaces the
> sshd with some other service it calles backdoor together with it's
> configuration file, runs it instead of sshd, changes config files like
> known_hosts, random_seed, etc, chattr +i /etc/passwd and /etc/shadow to
> make them readonly. Does a lot of other things, you can find them in the
> attached script I could recover from theleted files.
> 
> The main goal, as I could determine is to run a process `httpd', that is
> actually an IRC bot.
> 
> For the whole stuff in tar.gz format (source code of the scanner, IRC bot,
> etc) please let me know privately via e-mail.
> 
>

This is just another bored romanian kid, it seems we've got lots here. Nothing special about the script, having in mind that is a simple _plain_ text file, probably its very popular on the _newbie_ scene. For them its an out_of_the_box backdoor solution, no matter of the superficial capability. If we think about the "stealth" nature of install, we can be almost sure its all about a lame user/group that does mass scanning/hacking for their "big" irc war.

Bottom line, just have a tripwire installed/configured and you'll "have" them by dinner. Maybe they think "hey its so simple that they wont even see it or bother to remove it", who knows..

My kind regards,

-- 
Andrei MURESAN
Network Administrator
IT Department
Banca Transilvania, Cluj-Napoca


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Burak DAYIOGLU: "Re: slapper changed to udp 1812?"
Previous message: Brad Arlt: "Re: maybe a simple problem"
In reply to: stealth: "Possible remote vulnerability in SSH-1.2.27"
Next in thread: Alexandru Balan: "Re: Possible remote vulnerability in SSH-1.2.27"
Reply: Alexandru Balan: "Re: Possible remote vulnerability in SSH-1.2.27"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 03 2002 - 11:15:32 PDT