Re: hacked through ssh
From: John (mcgowan_at_lynch2.com)
Date: 10 Mar 2004 06:43:21 -0800
email@example.com (Darren Tucker) wrote in message news:<firstname.lastname@example.org>...
> In article <email@example.com>,
> John <firstname.lastname@example.org> wrote:
> >I've got a D2D backup applicance that came preinstalled with a version
> >of RH Linux. Not sure which version. However I am sure that it is
> >running OpenSSH_3.1p1.
> >I'm 99% convinced (from searching google for half a day) that this was
> >due to the old version of OpenSSH and the fact that I had SSH open up
> >to the outside world. But I have not encountered any real proof that
> >what I'm looking at came from those mistakes.
> That version of OpenSSH did have an exploitable problem in some
> configurations (unless it was patched by the vendor):
Yes, I'm aware of the exploitable problem. That's why i'm 99%
convinced that that was the problem. However, I'm still looking for
that difinitive proof that that is how the bot or whatever made it's
way into the system.
I found a post on a bulgarian linux website that quotes the exact same
junk that I saw in my rc.sysinit unfortunately, the only thing on the
post that makes any sense to me is the script code i already
recognize... The posts (including the followup that probably has what
I'm looking for) are all in bulgarian. :)