Re: What's this? SSH hack?



Ebenezer Scrooge wrote:

Found this shell script on a server:

#!/bin/bash
# cracker ssh backdoor - by AppleJuice
if [ -f /usr/sbin/sshd ]; then
FILE=/usr/sbin/sshd
NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
'{print $1}'`
_SNF=`expr $NR + 1`
_PASS=`expr $NR + 2`
SNF=`strings $FILE | head -n $_SNF | tail -n 1`
PASS=`strings $FILE | head -n $_PASS | tail -n 1`
echo "first string: $SNF"
echo "second string: $PASS"
fi


The server was obviously hacked, but I don't understand how the script
came on the server and its usage and purpose

Are you using openssh, or some other ssh server? Also, which version are
you using? I cannot seem to find the string ssh_mpmzm_pow in the sshd
executable on any of my systems, nor can I find it in the source code for
openssh, nor in libssh*. Those systems are running Fedora; what is yours
running?

-- B
.