Re: What's this? SSH hack?



Ebenezer Scrooge wrote:

Found this shell script on a server:

#!/bin/bash
# cracker ssh backdoor - by AppleJuice
if [ -f /usr/sbin/sshd ]; then
FILE=/usr/sbin/sshd
NR=`strings $FILE | grep --line-number "ssh_mpmzm_pow" | awk -F ":"
'{print $1}'`
_SNF=`expr $NR + 1`
_PASS=`expr $NR + 2`
SNF=`strings $FILE | head -n $_SNF | tail -n 1`
PASS=`strings $FILE | head -n $_PASS | tail -n 1`
echo "first string: $SNF"
echo "second string: $PASS"
fi


The server was obviously hacked, but I don't understand how the script
came on the server and its usage and purpose

Are you using openssh, or some other ssh server? Also, which version are
you using? I cannot seem to find the string ssh_mpmzm_pow in the sshd
executable on any of my systems, nor can I find it in the source code for
openssh, nor in libssh*. Those systems are running Fedora; what is yours
running?

-- B
.



Relevant Pages

  • Re: WEB SITE PROJECT DEPLOYMENT ~ Help please??
    ... ECHO When/If prompted with the question: ... The files are all now sitting on my Server, and when I load my web site, ... An error has occurred while establishing a connection to the server. ... The connection string specifies a local Sql Server Express instance using ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Whats this? SSH hack?
    ... echo "second string: $PASS" ... The server was obviously hacked, but I don't understand how the script ... Those systems are running Fedora; ...
    (alt.computer.security)
  • Re: echoclient reading from server
    ... the server..I would like the server to return the echo as soon as i ... It's possible to wait for the server to reply anywhere you like. ... this is displayed by debugas a string with a lot of blanks at the ... that lets you specify how much of the buffer to use. ...
    (comp.lang.java.programmer)
  • SQL Connection Problem
    ... An error has occurred while establishing a connection to the server. ... database location within the applications App_Data directory. ... Boolean& failoverDemandDone, String host, String failoverPartner, String ... user, String password, Boolean trusted, String connectionString) +68 ...
    (microsoft.public.dotnet.framework.aspnet)
  • server-side JavaScript: Prototypes of built-in classes, objects and functins
    ... Session object (disk-based session variables for data persistence ... File class (manipulation of files on server, ie. open, close, read, ... //Methods Cgi.queryCgi.postCgi.anyby default return an empty string if requested var not found ...
    (comp.lang.javascript)