Re: What's this? SSH hack?



VanguardLH wrote:

Ebenezer Scrooge wrote:

Found this shell script on a server:

#!/bin/bash
# cracker ssh backdoor - by AppleJuice
if [ -f /usr/sbin/sshd ]; then
FILE=/usr/sbin/sshd
NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
'{print $1}'`
_SNF=`expr $NR + 1`
_PASS=`expr $NR + 2`
SNF=`strings $FILE | head -n $_SNF | tail -n 1`
PASS=`strings $FILE | head -n $_PASS | tail -n 1`
echo "first string: $SNF"
echo "second string: $PASS"
fi

The server was obviously hacked, but I don't understand how the script
came on the server and its usage and purpose

On quick inspection (I'm no bash script expert) that the script is
trying to find a master password encoded inside the sshd (SSH daemon).
Sorry but I'm also not a *NIX guru to even know if SSH has a backdoor or
master password encoded within it. From a Google search:

http://www.google.com/search?q=%2Bssh+%2Bbackdoor+%2Bpassword

The backdoor only appears to affect older versions of openssh; I just took a
look at the openssh source code on my system, and there does not appear to
be any way to set a backdoor password. I have never heard of anyone setting
such an ssh backdoor, but it certainly appears to have been an option at
some point.

-- B
.



Relevant Pages

  • Re: Whats this? SSH hack?
    ... # cracker ssh backdoor - by AppleJuice ... The server was obviously hacked, but I don't understand how the script ... The backdoor only appears to affect older versions of openssh; ...
    (alt.computer.security)
  • Re: Whats this? SSH hack?
    ... # cracker ssh backdoor - by AppleJuice ... echo "first string: $SNF" ... The server was obviously hacked, but I don't understand how the script ... trying to find a master password encoded inside the sshd. ...
    (alt.computer.security)
  • Re: Whats this? SSH hack?
    ... # cracker ssh backdoor - by AppleJuice ... echo "first string: $SNF" ... The server was obviously hacked, but I don't understand how the script ... such an ssh backdoor, but it certainly appears to have been an option at ...
    (alt.computer.security)
  • Re: ssh and ids
    ... Don't assume the backdoor is going to be listening ... makes an outbound connection to a central server that lets the ... attacker issue commands on the compromised host. ... looking at a connection as a whole versus the ...
    (Focus-IDS)
  • Re: redhat audit
    ... If I were you, I'd replace any and all process monitoring tools, network ... It's rare, but heard of, that rootkits and backdoor systems include ... A much more clever hack is to add simple server capabilities to the ... > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
    (Security-Basics)