Re: hacked through ssh

From: John (
Date: 03/10/04

Date: 10 Mar 2004 06:43:21 -0800 (Darren Tucker) wrote in message news:<c2m9lm$7k3$>...
> In article <>,
> John <> wrote:
> >I've got a D2D backup applicance that came preinstalled with a version
> >of RH Linux. Not sure which version. However I am sure that it is
> >running OpenSSH_3.1p1.
> [...]
> >I'm 99% convinced (from searching google for half a day) that this was
> >due to the old version of OpenSSH and the fact that I had SSH open up
> >to the outside world. But I have not encountered any real proof that
> >what I'm looking at came from those mistakes.
> That version of OpenSSH did have an exploitable problem in some
> configurations (unless it was patched by the vendor):

Yes, I'm aware of the exploitable problem. That's why i'm 99%
convinced that that was the problem. However, I'm still looking for
that difinitive proof that that is how the bot or whatever made it's
way into the system.

I found a post on a bulgarian linux website that quotes the exact same
junk that I saw in my rc.sysinit unfortunately, the only thing on the
post that makes any sense to me is the script code i already
recognize... The posts (including the followup that probably has what
I'm looking for) are all in bulgarian. :)