After looking around a bit more (should have researched a bit before
posting), the second sshf that currently resides at frauder.us is
infected with RST-variant.
More info at:
http://www.lockeddown.net/rst-expl.txt
Bill
-----Original Message-----
From: Bill Roemhild
Sent: Sunday, August 15, 2004 1:58 AM
To: full-disclosure_at_lists.netsys.com
Subject: RE: [Full-disclosure] Automated SSH login attempts?
Ohh great.. two different versions floating around. Not sure where I
got the first one, but the second was from frauder.us.
-rwxr-xr-x 1 root root 1365263 Jul 12 11:10 sshf1*
-rwxr-xr-x 1 root root 1369359 Aug 1 19:24 sshf2*
root_at_deepcycle:/usr/local/src/ssh/show# strings sshf1 > sshf1.strings
root_at_deepcycle:/usr/local/src/ssh/show# strings sshf2 > sshf2.strings
root_at_deepcycle:/usr/local/src/ssh/show# diff sshf1.strings sshf2.strings
4402a4403,4466
> SQRVW
> _^ZY[
> SQR1
> SQRV
> H^ZY[
> SQRVW
> _^ZY[
> _^ZY[
> QSP1
> QSP1
> QSP1
> QSP1
> RQSP1
> X[YZ
> RQSP1
> X[YZ
> QSP1
> SQRV1
> ^ZY[
> /dev/hdx
> SQRVW
> ZY[=
> ZY[=
> _^ZY[
> SQRVW
> Y[_^ZY[
> ZY[=
> [SQRVW
> tBSQR
> ZY[=
> ZY[=
> [X_^ZY[
> DOM`
> /bin/sh
> xxxxyyyyzzzz
> Y[XXXXXX
> GET /~telcom69/gov.php HTTP/1.0
> ppp0
> eth0
> h/bin
> PSQRVWP
> [X_^ZY[X
> SQRVWS
> ZY[=
> ZY[f
> ZY[=
> ZY[=
> fAf;NH
> ZY[=
> YQSQR
> ZY[=
> ZY[=
> ZY[fAf;NLr
> ZY[=
> ZY[=
> F4SQR
> ZY[=
> [X_^ZY[
> ZY[=
> _WSQR
> ZY[SQR
> snortdos
> tory
> /lib/ld-linux.so.2
Bill
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Received on Aug 15 2004
Intro
