Full Disclosure mailing list archives
Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!*
From: christopher neitzert <chris () neitzert com>
Date: Fri, 19 Sep 2003 01:27:12 -0400
Lars, What you say is true. For those of you who are interested attached is an strace of this bogus exploit that I ran in my lab on disposable systems in captive network. Note, on the parent PID file I edited out quite a bit of repetitive bogus wait statements, no sense in filling your mailboxes with 400k lines of crap. ... Chris On Fri, 2003-09-19 at 03:07, Lars Olsson wrote:
On Fri, 19 Sep 2003, Vitaly Osipov wrote:This means that the original poster (gordon last) made it up himself, because he is saying :i looked at this piece of exploit... it is binary so i'am not sure if this is a trojan or a backdoor or a virus. but i can't see anything strange while sniffing the exploit traffic. and i got root on serveral of my openbsd boxes with that. the bruteforcer seems to be very good.which is obviously not true. Btw as far as I understand, the troyan code is triggered when the "exploit" is run with the offset specified, and not in a "bruteforcing" mode.The trojan seems to be triggered in both cases, providing that the "bruteforcing" terminates. I haven't test run the code but I did a very quick reverse of the binary. It connects to the remote sshd but only sends the key used for descrmbling the trojan code while it pretends to search for offsets. /Lars
-- Christopher Neitzert http://www.neitzert.com/~chris
Attachment:
fake-exploit-strace.pid1061.EDITED.txt
Description:
Attachment:
fake-exploit-strace.pid1062.txt
Description:
Attachment:
fake-exploit-strace.pid1063.txt
Description:
Attachment:
fake-exploit-strace.pid1064.txt
Description:
Attachment:
fake-exploit-strace.pid1065.txt
Description:
Attachment:
fake-exploit-strace.pid1066.txt
Description:
Attachment:
fake-exploit-strace.pid1067.txt
Description:
Attachment:
fake-exploit-strace.pid1068.txt
Description:
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: new openssh exploit in the wild! * is FAKE AS SH@!* Vitaly Osipov (Sep 18)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* christopher neitzert (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Raymond Dijkxhoorn (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Adam Balogh (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* Adam Balogh (Sep 19)
- RE: Re: new openssh exploit in the wild! *isFAKE AS SH@!* Chris Eagle (Sep 19)
- Re: Re: new openssh exploit in the wild! * isFAKE AS SH@!* V.O. (Sep 19)
- Re: Re: new openssh exploit in the wild! * is FAKE AS SH@!* Lars Olsson (Sep 19)