Re: What's this? SSH hack?

VanguardLH wrote:

Ebenezer Scrooge wrote:

Found this shell script on a server:

# cracker ssh backdoor - by AppleJuice
if [ -f /usr/sbin/sshd ]; then
NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
'{print $1}'`
_SNF=`expr $NR + 1`
_PASS=`expr $NR + 2`
SNF=`strings $FILE | head -n $_SNF | tail -n 1`
PASS=`strings $FILE | head -n $_PASS | tail -n 1`
echo "first string: $SNF"
echo "second string: $PASS"

The server was obviously hacked, but I don't understand how the script
came on the server and its usage and purpose

On quick inspection (I'm no bash script expert) that the script is
trying to find a master password encoded inside the sshd (SSH daemon).
Sorry but I'm also not a *NIX guru to even know if SSH has a backdoor or
master password encoded within it. From a Google search:

The backdoor only appears to affect older versions of openssh; I just took a
look at the openssh source code on my system, and there does not appear to
be any way to set a backdoor password. I have never heard of anyone setting
such an ssh backdoor, but it certainly appears to have been an option at
some point.

-- B