Re: Strange command histories in hacked shell server

From: Jim Halfpenny (jim_at_openanswers.co.uk)
Date: 12/22/04

Next message: Dejan Markovic: "Re: SSH scans..."

Previous message: brian_at_ethernet.org: "re: SSH scans..."
In reply to: Valdis.Kletnieks_at_vt.edu: "Re: Strange command histories in hacked shell server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 22 Dec 2004 09:52:41 +0000 (GMT)
To: Valdis.Kletnieks@vt.edu

On Fri, 17 Dec 2004 Valdis.Kletnieks@vt.edu wrote:

> > sshd -F tsgan __ 0.02 secs Tue Dec 14 00:27
> > sh - tsgan ttyp0 0.02 secs Tue Dec 14 00:27
> > cat - tsgan ttyp0 0.00 secs Tue Dec 14 00:28
> > su - tsgan ttyp0 0.00 secs Tue Dec 14 00:28
> > sleep - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
> > ^^^^^^
> > stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
> > stty - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
> > ^^^^^^
> > fortune - tsgan ttyp0 0.00 secs Tue Dec 14 00:27
> > ...
> >
> > I don't quite understand why he used sleep and stty commands in above.
> > My suspect is tty hijacking. Am I right? Correct me if I'm wrong.
>
> My suspect is that your .login contains a 'fortune', an 'stty' or two, and a 'sleep',
> and those happened at login - the first *real* command actually issued was
> probably a 'su -c cat something', after which the person logged out, causing the
> login 'sh' and 'sshd' to exit.

I'd suggest a trojan was executed which contained commands used to
steal passwords. The real login prompt was followed by a short pause
(sleep), stty was used to turn of echoing stdin (stty -echo) a false
password prompt displayed and the output captured to a file or sent to the
intruder in some other fashion. The second stty restored echoing of stdin.

My guess is a trojan .login/.profile that prompted a second time for a
password after a successful login and then executed the remaining commands
e.g. /usr/bin/fortune. Do you remember typing you password in twice,
thinking you'd made a typo the first time?

Regards,
Jim Halfpenny

Next message: Dejan Markovic: "Re: SSH scans..."

Previous message: brian_at_ethernet.org: "re: SSH scans..."
In reply to: Valdis.Kletnieks_at_vt.edu: "Re: Strange command histories in hacked shell server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Pseiudo Terminals
... Then send these commands to the PTY: ... stty size; stty -a' ... set noglob; eval `resize -c`; unset noglob ...
(comp.lang.perl.misc)
Re: CTRL-T
... is there a man page or handbook reference dealing with keyboard ... >> commands such as this? ... man stty ...
(comp.unix.bsd.freebsd.misc)
Re: expect.pm - stdout buffering issue
... send and expect commands really ... You should send the ls command, then expect the prompt. ... die "couldn't see prompt after 'send password'\n"; ...
(comp.lang.perl.misc)
Re: Creating a faster loop
... How can a simple while loop be sped up beyond 1 second increments? ... sleep cannot see any finer granularity. ... stty $_STTY ...
(comp.unix.shell)
Re: funny character echo/line discipline behavior in Expect under RH9
... It's due to bash. ... it's simply easier than figuring out how to undelete a character. ... up to the next command prompt. ...
(comp.lang.tcl)