Security Incidents: Re: OpenSSH Attack?

["Mike Lewinski" <mike () rockynet com>]

It might be this one:

http://www.immunitysec.com/GOBBLES/exploits/sshutup-theo.tar.gz

02_HOWTO document indicates that the exploit has a couple options to send
shellcode while probing for where to overwrite the function pointer.

Mike



----- Original Message -----
From: "Bill McCarty" <bmccarty () apu edu>
To: "Ulrich Keil" <ulrich () der-keiler de>; <incidents () securityfocus com>
Sent: Monday, July 01, 2002 6:25 PM
Subject: Re: OpenSSH Attack?


> Hi Ulrich,
>
> These lines resemble an attempt to add a line to the /etc/inetd.conf file
> in order to establish a backdoor. Probably, an attacker's autorooter went
> awry, thought it had compromised the victim host, and prematurely
attempted
> to upload a backdoor.  Nevertheless, I suggest you check whether any of
> your systems are listening on unusual ports, such as 2222.
>
> Cheers,
>
> --On Saturday, June 29, 2002 10:01 PM +0200 Ulrich Keil
> <ulrich () der-keiler de> wrote:
>
> > I run OpenSSH 3.3p1 on linux (sparc) and found these line in my
> > /var/log/messages:
> >
> > Jun 28 22:27:27 www sshd[21761]: Bad protocol version identification
> > 'echo "2222 stream tcp nowait root /bin/sh sh -i">>
> > /tmp/h;/usr/sbin/inetd /tmp/hn/inecho "2222 strea' from 192.192.230.233
> ---------------------------------------------------
> Bill McCarty
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com