Re: hacked through ssh

From: John (mcgowan_at_lynch2.com)
Date: 03/10/04


Date: 10 Mar 2004 06:43:21 -0800

dtucker@dodgy.net.au (Darren Tucker) wrote in message news:<c2m9lm$7k3$1@gate.dodgy.net.au>...
> In article <704ecc39.0403091430.644561b5@posting.google.com>,
> John <mcgowan@lynch2.com> wrote:
> >I've got a D2D backup applicance that came preinstalled with a version
> >of RH Linux. Not sure which version. However I am sure that it is
> >running OpenSSH_3.1p1.
> [...]
> >I'm 99% convinced (from searching google for half a day) that this was
> >due to the old version of OpenSSH and the fact that I had SSH open up
> >to the outside world. But I have not encountered any real proof that
> >what I'm looking at came from those mistakes.
>
> That version of OpenSSH did have an exploitable problem in some
> configurations (unless it was patched by the vendor):
> http://www.openssh.com/txt/preauth.adv

Yes, I'm aware of the exploitable problem. That's why i'm 99%
convinced that that was the problem. However, I'm still looking for
that difinitive proof that that is how the bot or whatever made it's
way into the system.

I found a post on a bulgarian linux website that quotes the exact same
junk that I saw in my rc.sysinit unfortunately, the only thing on the
post that makes any sense to me is the script code i already
recognize... The posts (including the followup that probably has what
I'm looking for) are all in bulgarian. :)

/John