Re: What's this? SSH hack?
- From: "Mr. B" <not@xxxxxxxxxxxx>
- Date: Sun, 06 Feb 2011 10:36:32 -0500
Ebenezer Scrooge wrote:
Found this shell script on a server:
#!/bin/bash
# cracker ssh backdoor - by AppleJuice
if [ -f /usr/sbin/sshd ]; then
FILE=/usr/sbin/sshd
NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
'{print $1}'`
_SNF=`expr $NR + 1`
_PASS=`expr $NR + 2`
SNF=`strings $FILE | head -n $_SNF | tail -n 1`
PASS=`strings $FILE | head -n $_PASS | tail -n 1`
echo "first string: $SNF"
echo "second string: $PASS"
fi
The server was obviously hacked, but I don't understand how the script
came on the server and its usage and purpose
Are you using openssh, or some other ssh server? Also, which version are
you using? I cannot seem to find the string ssh_mpmzm_pow in the sshd
executable on any of my systems, nor can I find it in the source code for
openssh, nor in libssh*. Those systems are running Fedora; what is yours
running?
-- B
.
- Follow-Ups:
- Re: What's this? SSH hack?
- From: Ebenezer Scrooge
- Re: What's this? SSH hack?
- References:
- What's this? SSH hack?
- From: Ebenezer Scrooge
- What's this? SSH hack?
- Prev by Date: Re: What's this? SSH hack?
- Next by Date: Re: What's this? SSH hack?
- Previous by thread: Re: What's this? SSH hack?
- Next by thread: Re: What's this? SSH hack?
- Index(es):
Relevant Pages
|
